Thanks to information from Fabian Wosar during the live stream, I have been able to develop a decrypter for the first iteration of this ransomware.
To use this decrypter, you will need an encrypted file and it's original. You may drag and drop them onto the executable, or run it via command line.
HermesDecrypter.exe <encrypted> <original>
Due to the length of the key used, the decrypter may take awhile to find a key. On an i7, it may take up to 12 hours or so.
Once a key is found, it will be automatically saved, and the decrypter will prompt for a directory to decrypt.
The decrypter will then traverse the path recursively and decrypt any Hermes-encrypted files found. Files will first be backed up with the extension ".bak" to be safe, as the original extension is not changed by this ransomware - make sure you have the hard drive space needed if you are decrypting a full drive. You can always use my CryptoSearch to then clear out the encrypted backed-up files.
If you already have a key file from a previous session, simply pass the directory to decrypt, and the key file as an argument with the following syntax.
HermesDecrypter.exe <directory> -k <keyfile>
If you have any issues decrypting your files, let me know. I can also assist in acquiring a key since it can take a decent time.
Also note that there is a new variant of this ransomware called Hermes 2.0; this decrypter cannot decrypt those files, and it will skip them.
Edited by Demonslay335, 14 March 2017 - 02:13 PM.