Infected with Hermes Ransomware? Need to decrypt your files?
What is Hermes Ransomware
Hermes Ransomware is crypto-extortionist, that encrypts user data using AES-256 + RSA-2048 encryption, and then requires you to contact by e-mail to return files. Virus appends .hrm extension to encrypted files, however, some versions do not add any extensions or suffixes. At present moment there are three classified versions of Hermes Ransomware: Hermes 1.0, Hermes 2.0, Hermes 2.1 Ransomware. Differencies are analysing by researches: some code fragments are unique. After successful encryption, in every folder with affected files, Hermes (1.0-2.1) Ransomware creates DECRYPT_INFORMATION.html and DECRYPT_INFO.txt files with following message:
All your important files are encrypted
Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.
There is only one way to get your files back: contact with us, pay, and get decryptor software.
You have "UNIQUE_ID_DO_NOT_REMOVE" file on your desktop also it duplicated in some folders, its your unique idkey, attach it to letter when contact with us. Also you can decrypt 3 files for test.
We accept Bitcoin, you can find exchangers on xxxxs://www.bitcoin.com/buy-bitcoin and others.
primary email: BM-2cXfK4B5W9nvci7dYxUhuHYZSmJZ9zibwH@bitmessage.ch
reserve email: email@example.com
Hermes 2.0 ransom notes
New version of Hermes 2.1 ransom notes
Hermes Ransomware also creates “UNIQUE_ID_DO_NOT_REMOVE” file, that malefactors require attaching to e-mail. This malware uses the Evelen method to bypass UAC. Removes volumes of shadow copies of files and backup files. Currently ransom amount is unknown, but usually ransomware demands from $500 to $2000 in BitCoins to be paid for decryptor. There are many cases when hackers ignore the payment and do not send any keys in return. There is free decryptor available, created by security specialists, but unfortunately, it can not decrypt all versions of Hermes Ransomware. You can still try to use any recovery tools or instructions given on this page or preserve files until updated decryption tool appears. Use this tutorial to remove Hermes Ransomware and decrypt .hrm files for free.
How Hermes Ransomware infected your PC
At this moment, we know that several e-mails are used to distribute .docx files with malicious macroses. E-mails are distributed all over the world. You can also get this ransomware on file-sharing networks, including torrent files. Ransom is asked to be paid in BitCoins, that also makes the task difficult for the police, as the user in this network is often anonymous. Encryption starts in the background. Way to protect your computer from such threats is to use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.
First of all, don’t panic. Follow these easy steps below.
1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the Hermes Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.
SpyHunter 4 – fully removes all instances of Hermes Ransomware – files, folders, registry keys.
Step 2: Remove following files and folders of Hermes Ransomware:
Remove following registry entries:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "%USERPROFILE%\Desktop\DECRYPT_INFORMATION.html" /f
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "sysrep" /t REG_SZ /d "%PUBLIC%\Reload.exe" /f
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "sysrep" /t REG_SZ /d
Remove following files and folders:
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk
How to decrypt files infected by Hermes Ransomware (.hrm files)?
Use automated decryption tools
Decrypter from Michael Gillespie
There is ransomware decryptor, developed by security researcher Michael Gillespie with help of Fabian Wosar, that can decrypt .hrm files. It is free and may help you restore .hrm files encrypted by Hermes Ransomware virus. Download it here:
Decrypter from Kaspersky
There is ransomware decryptor from Kaspersky that can decrypt .hrm files. It is free and may help you restore .hrm files encrypted by Hermes Ransomware virus. Download it here:
You can also try to use manual methods to restore and decrypt .hrm files.
Decrypt .hrm files manually
Restore the system using System Restore
Although latest versions of Hermes Ransomware remove system restore files, this method may help you to partially restore your files. Give it a try and use standard System Restore to revive your data.
- Initiate the search for ‘system restore‘
- Click on the result
- Choose the date before the infection appearance
- Follow the on-screen instructions
Roll the files back to the previous version
Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – Hermes Ransomware by Hermes Ransomware). This feature is available in Windows 7 and later versions.
- Right-click the file and choose Properties
- Open the Previous Version tab
- Select the latest version and click Copy
- Click Restore
Restore .hrm files using shadow copies
- Download and run Data Recovery Pro.
- Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
- Choose all files on folder you want to restore and select Restore.
- Choose export location and view restored files.
Protect your files from ransomware
Most modern software can protect your data from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach to protect your files from ransomware and lockers. One of the best is SOS Online Backup. The product will automatically find important files, then simply make a daily backup on the remote server. SOS runs quietly and automatically in the background and supports any size and any file type. All SOS apps (desktop AND mobile) encrypt files using UltraSafe 256-bit AES before transferring them to the cloud. You will not lose your important data. Download One Year Plan.
Information provided by: Alexey Abalmasov