Home Malware Programs Ransomware Hermes666 Ransomware

Hermes666 Ransomware

Posted: August 14, 2019

The Hermes666 Ransomware is a file-locking Trojan that can stop digital media from opening by encrypting it. The payload also includes changing extensions, delivering ransom notes in TXT formats, and, in some cases, erasing the Restore Points. Users should save their backups to locations inaccessible to Trojans and always can have their anti-malware solutions remove the Hermes666 Ransomware as necessary.

Flying on Fleet Feet for Your Files

The 2017 Hermes Ransomware owns the theme of the Greek deity of messengers, but, apparently, no one informed the threat actor that's using one of the latest versions of the Maoloa Ransomware family. This variant, the Hermes666 Ransomware, is launching encryption-based attacks for sabotaging data long enough to collect a ransom. Its sample availability suggests a focus on Eastern Europeans and Russians, although malware analysts have yet to trace its infection methods.

The Hermes666 Ransomware uses RSA-secured SHACAL-2 encryption for stopping files from opening. Data types that it targets can include most commonly-used media, like Word or PDF docs, BMP or JPG pictures, music, and others. The extension from its name, which it inserts into filenames as it blocks them, is the most identifying symptom in the Hermes666 Ransomware infections.

Along with the encryption, the Hermes666 Ransomware may issue CMD commands for disabling interfering security features and programs silently. This behavior isn't consistent to this family, and malware experts can't confirm it with some variants, like the original Maoloa Ransomware, although it does appear in Hades666 Ransomware. The most relevant attack in this series of commands is, as usual, the Trojan's potential for wiping the Shadow Volume Copies – keeping victims from recovering their files in the easiest way possible.

Grounding the Hermes666 Ransomware's Ransoming Plans

File-locking Trojans usually, but not always, include a text message with instructions for buying an unlocking service from the campaign's administrator. Such a payment doesn't trigger any automatic decryptor, and malware researchers advise against it, in almost all circumstances. Users worried about preserving their media from the Hermes666 Ransomware attacks always should keep well-maintained backups on another device, either cloud-based or physically detachable.

While malware researchers haven't narrowed down the Hermes666 Ransomware's infection routes, file-locking Trojans do have general trends in finding their victims. Users can protect themselves preemptively through the following steps:

  • Change passwords that are at factory settings or, otherwise, weak to a brute-force attack.
  • You should update software such as your PDF Reader, Office programs, and website (such as WordPress). Out-of-date software supports more well-known vulnerabilities that criminals can abuse for downloading and running threats like the Hermes666 Ransomware.
  • Avoid unsafe sources of downloads, including unauthorized e-mail attachments, pop-ups through advertising networks, and torrents.

Although unlocking content via decryption may not be practical, most anti-malware services should delete the Hermes666 Ransomware on sight appropriately.

Another troublesome deity smiting the files of Windows users isn't something that the world needs, but the Hermes666 Ransomware is here, anyway. Windows users may as well practice a rational world view and counter its attacks in advance with a good backup and security software.

Loading...