Home Malware Programs Ransomware Hermes 2.1 Ransomware

Hermes 2.1 Ransomware

Posted: November 6, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 89
First Seen: February 15, 2017
Last Seen: June 17, 2020
OS(es) Affected: Windows

The Hermes 2.1 Ransomware is a recent release of the Hermes Ransomware, a file-locking Trojan that holds your PC's media hostage for profit. While the Hermes 2.1 Ransomware's payload has some minor reconfiguring in its encryption method, it continues being able to block files arbitrarily and indefinitely, along with erasing any local backups the user might possess. You always can uninstall the Hermes 2.1 Ransomware safely with anti-malware products, although your private data may be irrecoverable.

A Greek God Gets an Update to Divine Judgment

While free decryption solutions for the old Hermes Ransomware remain theoretical, its threat actors are updating the Trojan regardless, possibly to boost their detection avoidance with AV products. The newer version of the Trojan self-identifies as being the Hermes 2.1 Ransomware, with a slight change to how it identifies and blocks victimized files. Extra traits that the Hermes 2.1 Ransomware still shares with its predecessor include its Web page-based ransoming instructions and attacks that could cause additional data loss.

The Hermes 2.1 Ransomware doesn't insert markers into the internal data of the files it locks, although it retains full data-enciphering capabilities, through a combination of default Windows functions and an RSA algorithm. The attack keeps the content that the Hermes 2.1 Ransomware damages from being readable, and, in the meantime, victims can confirm which files are affected with their '.HRM' extensions (which is a change from the previous '.HERMES' one). A related BAT file of the Trojan also issues instructions to Windows to delete Shadow Copy-based backups silently, along with the contents of different recovery folders (including 'Backup,' 'backup,' 'bak,' and 'VHD').

Once the Hermes 2.1 Ransomware held your media hostage and removed any local recovery methods, the Hermes 2.1 Ransomware creates an HTML page. Right now, this page shows only the threat actor's BitMessage-based communication preferences and a short warning message stating their preference for Bitcoin. Since RSA is challenging to decrypt frequently, malware researchers warn that alternate options for unlocking any encoded media may not be available necessarily.

Playing Interception for a Messenger-God's Misconducts

While the Hermes 2.1 Ransomware's ransom note is terser than those of some campaigns, it accomplishes the goal of providing hands-on communications to accompany its leverage effectively, through which a cybercrook could accept money without giving any files back to the user. The Hermes 2.1 Ransomware does offer 'trial' unlocking options that the victims may use for a small amount of media, but, for most victims, backing up their content beyond the Hermes 2.1 Ransomware's reach is the most practical recovery method. Detached, portable hard drives and cloud storage networks with protected logins both may compensate for this Trojan's capacity for deleting data.

The Hermes 2.1 Ransomware and the previous Hermes Ransomware both have an absence of personal, self-distributing features, but may distribute themselves with other threats' help. Examples of exploits that malware experts often find in reuse include e-mail attachments that install Trojans once their contents are enabled, exploit kits that take advantage of your Web browser's security vulnerabilities and erroneously-named piracy downloads. Professional anti-malware products, while not able to unlock your files directly, can protect them by removing the Hermes 2.1 Ransomware on sight.

The Hermes 2.1 Ransomware isn't the most important name in the field of threatening software, but its updates are a sampling of how its threat actors are far from done with their attacks. When little more than a simple Windows feature like 'CryptGenRandom' is a danger to your media, there's no adequate excuse for assuming it always will be safe.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



name.exe File name: name.exe
Size: 543.19 KB (543195 bytes)
MD5: 6bbff3614efa6329bb43b2b0a6be8b9c
Detection count: 49
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%SYSTEMDRIVE%\Users\<username>\AppData\Local\Temp\svchosta.exe File name: svchosta.exe
Size: 52.22 KB (52224 bytes)
MD5: af93204bc5fa9b99c9b9b9012be9bb1b
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\Temp\svchosta.exe
Group: Malware file
Last Updated: June 26, 2020
Loading...