Hermes 2.1 Ransomware (Malware), Technical details includes introduction of ransomware, how it install itself into your system and then how you can remove it from your system.
2. What is Ransomware ?
'Ransomware' is a type of malware that attempts to extort money
from a computer user by infecting and taking control of the victim's
machine, or the files or documents stored on it.
Typically, the ransomware will either 'lock' the computer to prevent
normal usage, or encrypt the documents and files on it to prevent
access to the saved data.
3. Types of Ransomware
Encryption Ransomware
Lock Screen Ransomware
Master Boot Record (MBR) Ransomware
7. Hermes 2.1 Ransomware
Hermes also follows the typical ransomware behavior by encrypting
target user data with a strong cipher.
Next the victims are extorted to pay a ransomware fee.
All affected data is renamed using the HERMES file extension
(.HRM). the virus targets all popular documents, databases, music,
video, photos, configuration files and etc.
8. Hermes Ransomware Distribution
The Hermes ransomware is distributed using the most popular virus delivery
methods:
Email Spam Messages – The email messages are crafted to include links
to the Hermes ransomware or deliver the payload as an attachment file. To
increase the infection ratio the viruses can be masked as legitimate
documents that may be of interest such as financial documents, invoices
and personal letters.
Dangerous Redirects – Dangerous redirects such as browser hijackers
and malicious ads can be used to deliver the Hermes ransomware.
Software Installers – Viruses can be bundled with infected software
bundles that pose as legitimate apps, games and patches. The most
popular source of infection are the pirate copies that are found on pirate
sites and BitTorrent trackers.
9. Bank Robbery Using Hermes Ransomware
On Oct. 17, 2017. A crypto culprit uses Hermes ransomware
for a sophisticated bank heist targeting Taiwan-based Far
Eastern International Bank (FEIB).
The threat actors, were most likely North Korean ‘Lazarus’
hacker group, harnessed the ransomware as a smokescreen to
distract the bank’s officials from the money theft going on
backstage.
10. Technical Details - Installation
As soon as you become infected with this ransomware, the
infection file connects to a remote host and downloads the
malicious payload of this ransomware. It consists of several
files
This Trojan drops the following copies of itself into the
affected system and executes them:
%All Users Profile%Reload.exe
%All Users Profile%system_.bat
%All Users Profile%shade.bat
{folders containing encrypted files}UNIQUE_ID_DO_NOT_REMOVE
{folders containing encrypted files}DECRYPT_INFORMATION.html
{%Desktop%}UNIQUE_ID_DO_NOT_REMOVE
{%Desktop%}DECRYPT_INFORMATION.html - ransom note
11. Then it executes the following Windows Command Prompt
commands in order to erase the shadow volume copies of your
computer:
Technical Details Installation Continue…
12. This Trojan adds the following registry entries to enable its
automatic execution at every system startup:
Technical Details Installation Continue…
13. To encrypt the files on your computer, the Hermes 2.1 ransomware
uses Rivest-Shamir-Adleman encryption algorithm, known as RSA
with a 2048 bit strenght. The virus targets specific file types for
encryption, some of which are the following:
Technical Details - Encryption
16. Information About Decryption
On Feb. 16, 2017. Fabian Wosar, CTO and malware researcher
at Emsisoft, sets up a live video session where he reverse-
engineers and decrypts the new Hermes ransomware.
17. STEP 1:
Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so
they will be removed efficiently.
1. Hit WIN Key + R
2. A Run window will appear. In it, write “msconfig” and then press
Enter
3. A Configuration box shall appear. In it Choose the tab named
“Boot”
4. Mark “Safe Boot” option and then go to “Network” under it to tick
tick it too
5. Then Apply -> ok
Hermes 2.1 Ransomware Removal
18. STEP 2:
Show Hidden Files
STEP 3:
Enter Windows Task Manager and Stop Malicious Processes
1. Hit the following key combination: CTRL+SHIFT+ESC
2. Get over to “Processes”
3. When you find suspicious process right click on it and select “Open File
Location”
4. Go back to Task Manager and end the malicious process. Right click on
it again and choose “EndProcess”
5. Next you should go folder where the malicious file is located and delete
it
Hermes 2.1 Ransomware Removal Continue…
19. STEP 4:
Repair Windows Registry/Delete this registry value
1. Press Windows Button + R key combination
2. In the box, write “regedit” and hit Enter
3. In HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
4. Remove this “sysrep = %All Users Profile%Reload.exe”
Hermes 2.1 Ransomware Removal Continue…
21. STEP 6:
Scan your PC with a quality Anti-Virus, Anti-Malware program.
Recover your data from backups.
Hermes 2.1 Ransomware Removal Continue…
22. Perform Following steps for future prevention
1. Keep your software and operating systems up to date
2. Do not install applications from unfamiliar sources or untrusted
websites
3. Read permissions closely when requested by programs or apps.
4. Back up data and devices frequently (Externally Recommended).
5. Install and regularly update a quality anti-malware product.
6. If infected, take every possible step to avoid paying.
Prevention is the best cure when it comes to
Ransomware