Hermes 2.1 Ransomware
Posted: November 6, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 89 |
First Seen: | February 15, 2017 |
---|---|
Last Seen: | June 17, 2020 |
OS(es) Affected: | Windows |
The Hermes 2.1 Ransomware is a recent release of the Hermes Ransomware, a file-locking Trojan that holds your PC's media hostage for profit. While the Hermes 2.1 Ransomware's payload has some minor reconfiguring in its encryption method, it continues being able to block files arbitrarily and indefinitely, along with erasing any local backups the user might possess. You always can uninstall the Hermes 2.1 Ransomware safely with anti-malware products, although your private data may be irrecoverable.
A Greek God Gets an Update to Divine Judgment
While free decryption solutions for the old Hermes Ransomware remain theoretical, its threat actors are updating the Trojan regardless, possibly to boost their detection avoidance with AV products. The newer version of the Trojan self-identifies as being the Hermes 2.1 Ransomware, with a slight change to how it identifies and blocks victimized files. Extra traits that the Hermes 2.1 Ransomware still shares with its predecessor include its Web page-based ransoming instructions and attacks that could cause additional data loss.
The Hermes 2.1 Ransomware doesn't insert markers into the internal data of the files it locks, although it retains full data-enciphering capabilities, through a combination of default Windows functions and an RSA algorithm. The attack keeps the content that the Hermes 2.1 Ransomware damages from being readable, and, in the meantime, victims can confirm which files are affected with their '.HRM' extensions (which is a change from the previous '.HERMES' one). A related BAT file of the Trojan also issues instructions to Windows to delete Shadow Copy-based backups silently, along with the contents of different recovery folders (including 'Backup,' 'backup,' 'bak,' and 'VHD').
Once the Hermes 2.1 Ransomware held your media hostage and removed any local recovery methods, the Hermes 2.1 Ransomware creates an HTML page. Right now, this page shows only the threat actor's BitMessage-based communication preferences and a short warning message stating their preference for Bitcoin. Since RSA is challenging to decrypt frequently, malware researchers warn that alternate options for unlocking any encoded media may not be available necessarily.
Playing Interception for a Messenger-God's Misconducts
While the Hermes 2.1 Ransomware's ransom note is terser than those of some campaigns, it accomplishes the goal of providing hands-on communications to accompany its leverage effectively, through which a cybercrook could accept money without giving any files back to the user. The Hermes 2.1 Ransomware does offer 'trial' unlocking options that the victims may use for a small amount of media, but, for most victims, backing up their content beyond the Hermes 2.1 Ransomware's reach is the most practical recovery method. Detached, portable hard drives and cloud storage networks with protected logins both may compensate for this Trojan's capacity for deleting data.
The Hermes 2.1 Ransomware and the previous Hermes Ransomware both have an absence of personal, self-distributing features, but may distribute themselves with other threats' help. Examples of exploits that malware experts often find in reuse include e-mail attachments that install Trojans once their contents are enabled, exploit kits that take advantage of your Web browser's security vulnerabilities and erroneously-named piracy downloads. Professional anti-malware products, while not able to unlock your files directly, can protect them by removing the Hermes 2.1 Ransomware on sight.
The Hermes 2.1 Ransomware isn't the most important name in the field of threatening software, but its updates are a sampling of how its threat actors are far from done with their attacks. When little more than a simple Windows feature like 'CryptGenRandom' is a danger to your media, there's no adequate excuse for assuming it always will be safe.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:name.exe
File name: name.exeSize: 543.19 KB (543195 bytes)
MD5: 6bbff3614efa6329bb43b2b0a6be8b9c
Detection count: 49
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%SYSTEMDRIVE%\Users\<username>\AppData\Local\Temp\svchosta.exe
File name: svchosta.exeSize: 52.22 KB (52224 bytes)
MD5: af93204bc5fa9b99c9b9b9012be9bb1b
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\Temp\svchosta.exe
Group: Malware file
Last Updated: June 26, 2020
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.