Infected with Hermes Ransomware? Need to decrypt your files?

What is Hermes Ransomware

Hermes Ransomware is crypto-extortionist, that encrypts user data using AES-256 + RSA-2048 encryption, and then requires you to contact by e-mail to return files. Virus appends .hrm extension to encrypted files, however, some versions do not add any extensions or suffixes. At present moment there are three classified versions of Hermes Ransomware: Hermes 1.0, Hermes 2.0, Hermes 2.1 Ransomware. Differencies are analysing by researches: some code fragments are unique. After successful encryption, in every folder with affected files, Hermes (1.0-2.1) Ransomware creates DECRYPT_INFORMATION.html and DECRYPT_INFO.txt files with following message:

HERMES RANSOMWARE
All your important files are encrypted
Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.
There is only one way to get your files back: contact with us, pay, and get decryptor software.
You have "UNIQUE_ID_DO_NOT_REMOVE" file on your desktop also it duplicated in some folders, its your unique idkey, attach it to letter when contact with us. Also you can decrypt 3 files for test.
We accept Bitcoin, you can find exchangers on xxxxs://www.bitcoin.com/buy-bitcoin and others.
Contact information:
primary email: BM-2cXfK4B5W9nvci7dYxUhuHYZSmJZ9zibwH@bitmessage.ch
reserve email: x2486@india.com

Hermes 2.0 ransom notes
Hermes Ransomware

New version of Hermes 2.1 ransom notes
Hermes Ransomware

Hermes Ransomware also creates “UNIQUE_ID_DO_NOT_REMOVE” file, that malefactors require attaching to e-mail. This malware uses the Evelen method to bypass UAC. Removes volumes of shadow copies of files and backup files. Currently ransom amount is unknown, but usually ransomware demands from $500 to $2000 in BitCoins to be paid for decryptor. There are many cases when hackers ignore the payment and do not send any keys in return. There is free decryptor available, created by security specialists, but unfortunately, it can not decrypt all versions of Hermes Ransomware. You can still try to use any recovery tools or instructions given on this page or preserve files until updated decryption tool appears. Use this tutorial to remove Hermes Ransomware and decrypt .hrm files for free.

Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. Also check following website for possible decryptor: Emsisoft Decryptors.

How Hermes Ransomware infected your PC

At this moment, we know that several e-mails are used to distribute .docx files with malicious macroses. E-mails are distributed all over the world. You can also get this ransomware on file-sharing networks, including torrent files. Ransom is asked to be paid in BitCoins, that also makes the task difficult for the police, as the user in this network is often anonymous. Encryption starts in the background. Way to protect your computer from such threats is to use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.

First of all, don’t panic. Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the Hermes Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Recommended Solution:

Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to Hermes Ransomware – files, folders, registry keys.

 

Download Norton*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.

Step 2: Remove following files and folders of Hermes Ransomware:

Remove following registry entries:


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "%USERPROFILE%\Desktop\DECRYPT_INFORMATION.html" /f
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "sysrep" /t REG_SZ /d "%PUBLIC%\Reload.exe" /f
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "sysrep" /t REG_SZ /d
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\allkeeper C:\users\User\Desktop\DECRYPT_INFORMATION.html

Remove following files and folders:


DECRYPT_INFO.txt
DECRYPT_INFORMATION.html
UNIQUE_ID_DO_NOT_REMOVE
hermes.exe
Reload.exe
system_.bat
shade.bat
shade.vbs
C:\Eleven\Comet.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\
C:\Eleven\Microsoft\
C:\Eleven\Microsoft\Windows\
C:\Eleven\Microsoft\Windows\Caches\
C:\Eleven\Microsoft\Windows\Caches\cversions.2.db
C:\Eleven\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Caches\{73E271C2-E043-4985-A165-1B09233B848B}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Caches\{E0B113B6-B2EA-4F79-9F6D-C7F51DA96E93}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Start Menu
C:\Eleven\Microsoft\Windows\Start Menu\Programs
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk

How to decrypt files infected by Hermes Ransomware (.hrm files)?

Use automated decryption tools

Decrypter from Michael Gillespie

kaspersky rakhni decryptor for Hermes Ransomware

There is ransomware decryptor, developed by security researcher Michael Gillespie with help of Fabian Wosar, that can decrypt .hrm files. It is free and may help you restore .hrm files encrypted by Hermes Ransomware virus. Download it here:

Download Hermes Decrypter

Decrypter from Kaspersky

kaspersky rakhni decryptor for Hermes Ransomware

There is ransomware decryptor from Kaspersky that can decrypt .hrm files. It is free and may help you restore .hrm files encrypted by Hermes Ransomware virus. Download it here:

Download Kaspersky RakhniDecryptor

You can also try to use manual methods to restore and decrypt .hrm files.

Decrypt .hrm files manually

Restore the system using System Restore

system restore

Although latest versions of Hermes Ransomware remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – Hermes Ransomware by Hermes Ransomware). This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Restore .hrm files using shadow copies

stellar-data-recovery

  1. Download and run Stellar Data Recovery.
  2. Select type of files you want to restore and click Next.
  3. Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
  4. Once the scanning process is done, click Recover to restore your files.

Protect your files from ransomware

Most modern software can protect your data from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach to protect your files from ransomware and lockers. One of the best is SOS Online Backup. The product will automatically find important files, then simply make a daily backup on the remote server. SOS runs quietly and automatically in the background and supports any size and any file type. All SOS apps (desktop AND mobile) encrypt files using UltraSafe 256-bit AES before transferring them to the cloud. You will not lose your important data. Download One Year Plan.

SOS Online Backup

Information provided by: Alexey Abalmasov

4 Comments

  1. The files in my home notebook were encrypted which could not be opened. The are not in same extension as before not as .hrms. Will the tools can decrpt the files?

  2. bonjour, j’ai suivi le tuto, je n’ai plus rien mais impossible de restaurer les fichiers .hrm. J’ai Hermes 2.1 voici un exemple de fichier “DSC_0101.JPG[unlockmeplease@cock.li ].HRM” que dois je faire, cordialement

Leave a Reply

Your email address will not be published. Required fields are marked *