Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hermes Ransom Help & Support Topic (DECRYPT_INFORMATION.html Ransom Note)


  • Please log in to reply
8 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,269 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:18 PM

Posted 16 February 2017 - 07:46 PM

A new ransomware was discovered today by GData's Karsten Hahn. This good news is that the ransomware can be decrypted and a decryptor will be released soon.

For those who want to learn more about this ransomware, you can read this article, which provides technical analysis and a video of Fabian Wosar analyzing and creating a basic decryptor:

Hermes Ransomware Decrypted in Live Video by Emsisoft's Fabian Wosar

For a recap, the ransomware will not change the file name of encrypted files and will drop a ransom note named DECRYPT_INFORMATION.html. The ransom note is displayed below.
 

ransom-note.png



BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:18 PM

Posted 14 March 2017 - 11:49 AM

Thanks to information from Fabian Wosar during the live stream, I have been able to develop a decrypter for the first iteration of this ransomware.

 

https://download.bleepingcomputer.com/demonslay335/HermesDecrypter.zip

 

To use this decrypter, you will need an encrypted file and it's original. You may drag and drop them onto the executable, or run it via command line.

HermesDecrypter.exe <encrypted> <original>

Due to the length of the key used, the decrypter may take awhile to find a key. On an i7, it may take up to 12 hours or so.

 

2017-03-14_1140.png

 

Once a key is found, it will be automatically saved, and the decrypter will prompt for a directory to decrypt.

 

2017-03-14_1144.png

 

The decrypter will then traverse the path recursively and decrypt any Hermes-encrypted files found. Files will first be backed up with the extension ".bak" to be safe, as the original extension is not changed by this ransomware - make sure you have the hard drive space needed if you are decrypting a full drive. You can always use my CryptoSearch to then clear out the encrypted backed-up files.

 

2017-03-14_1146.png

 

If you already have a key file from a previous session, simply pass the directory to decrypt, and the key file as an argument with the following syntax.

HermesDecrypter.exe <directory> -k <keyfile>

If you have any issues decrypting your files, let me know. I can also assist in acquiring a key since it can take a decent time.

 

Also note that there is a new variant of this ransomware called Hermes 2.0; this decrypter cannot decrypt those files, and it will skip them.


Edited by Demonslay335, 14 March 2017 - 02:13 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:18 AM

Posted 14 March 2017 - 12:35 PM

System error.  The program can not start because api-ms-win-crt-como-ll-l-0.dll is missing from your computer. Try reinstalling the program.

 

 
This is normal?
OS: Windows 7 Home Premiun x64
 
I download this updates:
That helped.
 
But then another error occurred with MSVCP149.dll
I dowload for this error this updates (For x86 and x64 system!)

 

That helped. The decrypter started.  :bananas:


Edited by Amigo-A, 14 March 2017 - 01:25 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#4 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:18 AM

Posted 14 March 2017 - 01:51 PM

Sorry. My errors were associated with the use of HermesDecrypter.exe.

 

As for the topic, yes, probably Michael did not know that such a topic already exists.


Edited by Amigo-A, 14 March 2017 - 01:54 PM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#5 erkikelillo

erkikelillo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 23 April 2017 - 06:57 AM

As far as I'm reading this program is not valid for version 2.0 of Hermes is correct? What can I do? Wait? thanks



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:18 PM

Posted 23 April 2017 - 10:58 AM

Correct. As stated, the decrypter is only for v1.0.

Hermes 2.0 is not decryptable, as they fixed the keygen flaw, and added RSA-2048 to protect the AES keys. You can only restore from backups, try recovery software such as Recuva and ShadowExplorer, or archive files and hope for the future if the criminals are caught or something.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 bobykelso

bobykelso

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 30 October 2017 - 09:36 AM

Sorry for this useless message.

It is Hermes 2.1 that encrypted my files :-/


Edited by bobykelso, 30 October 2017 - 09:54 AM.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:18 PM

Posted 30 October 2017 - 09:54 AM

Can you share the filepair you are trying? If you were hit "recently", then I can guarantee it is not Hermes 1.0 (the decrypter skips Hermes 2.0 because it cannot be bruteforced). Have you uploaded an encrypted file to ID Ransomware for proper identification? If it says Hermes 2.0, then it is not decryptable.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 RudraSingh

RudraSingh

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 31 October 2017 - 01:48 AM

So I got hit by Hermes 2.1 yesterday

 

2J9kUWtg.png

 

Luckily it only Infected one drive of my hard disk(all files are not encrypted) which mostly had movies (I'm a movie buff  :grinner:)
I'm Scanning my System with SpyHunter 4 right now. So my question is after the removal of Hermes Should I delete the encrypted files or wipe the whole drive as I know chances of decryption are close to none?

 

One more thing, while messing with my pc I stumbled upon something

 

yq3kNUW.png

 

 

Could these files possibly be Decryption Keys??


Edited by RudraSingh, 31 October 2017 - 01:57 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users