Hermes Ransomware

Once infiltrated, Hermes encrypts files using RSA-2048 cryptography. This malware does not append extensions to the encrypted files. Following successful encryption, Hermes creates an HTML file containing a ransom-demand message (“DECRYPT_INFORMATION.html”), placing in each folder containing encrypted files. It also provides a UNIQUE_ID_DO_NOT_REMOVE file that victims are encouraged to attach to email messages when communicating with the cyber criminals responsible for this malware. When Hermes is executed, it will also use a User Account Control, or UAC, bypass called Eleven, or Elevation by environment variable expansion, to delete a victim’s Shadow Volume Copies and backup files.

eleven

Hermes uses a UAC bypass to execute a batch file called shade.bat. This batch file, shown below, will not only delete the computer’s shadow volumes, but will also delete backup images that may be present on the computer. It does this to prevent a victim from restoring encrypted files from a backup.

shade_bat

The backup images that are deleted are ones that match the following filenames:

*.VHD, *.bac, *.bak, *.wbcat, *.bkf, Backup*.*, backup*.*, *.set, *.win, *.dsk

When the Hermes Ransomware is executed, it will copy itself to C:\Users\Public\Reload.exe and execute itself. It will then launch a batch file called system_.bat, which is used to delete the original installer as shown below.

system__bat

Files associated with the Hermes Ransomware
C:\Eleven\Comet.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\
C:\Eleven\Microsoft\
C:\Eleven\Microsoft\Windows\
C:\Eleven\Microsoft\Windows\Caches\
C:\Eleven\Microsoft\Windows\Caches\cversions.2.db
C:\Eleven\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Caches\{73E271C2-E043-4985-A165-1B09233B848B}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Caches\{E0B113B6-B2EA-4F79-9F6D-C7F51DA96E93}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Start Menu
C:\Eleven\Microsoft\Windows\Start Menu\Programs
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk
C:\Users\Public\Reload.exe
C:\Users\Public\shade.bat
C:\Users\Public\shade.vbs
C:\Users\Public\system_.bat
Registry entries associated with the Hermes Ransomware
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\allkeeper C:\users\User\Desktop\DECRYPT_INFORMATION.html
Hashes:
SHA256: 059aab1a6ac0764ff8024c8be37981d0506337909664c7b3862fc056d8c405b0

Use Max Total Security to prevent damage to your files and save yourself from paying ranson to such Malware.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>