Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hermes Ransom Help & Support Topic (DECRYPT_INFORMATION.html Ransom Note)


  • Please log in to reply
63 replies to this topic

#16 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 AM

Posted 22 March 2018 - 08:24 AM

Only the very first version of Hermes was decryptable. 2.0 and newer patched the flaws and are secure as mentioned in the topic several times. The only way that it will ever be decryptable is if the criminals are caught the the private RSA keys seized.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#17 XChangingIT

XChangingIT

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:10 AM

Posted 15 April 2018 - 11:20 PM

Hi,

 

I'm pretty certain we've been infected by the first Hermes crypto.  I'm not having much luck decrypting our files and it wiped the backup drive with no luck at data recovery. 

 

Could I get a hand please??  I'd really appreciate it.

 

Please let me know asap.

thanks so much.



#18 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 AM

Posted 16 April 2018 - 12:39 AM

@XChangingIT

 

Are you sure it is the first variant? They haven't been distributing it for over a year now. ID Ransomware will tell you based on the filemarker which one it is.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#19 XChangingIT

XChangingIT

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:10 AM

Posted 16 April 2018 - 07:12 AM

Hi:

 

In the DECRYPT_INFORMATION file I didnt see the 2.1 as it shows in many examples online.  But when I went to ID Ransomware it said it was the 2.1.  Still nothing out yet for that I assume?

 

thanks for your quick reply



#20 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 AM

Posted 16 April 2018 - 08:49 AM

If it was identified by filemarker or extension, then it is the Hermes 2.1. It's possible they just slightly modified the ransom note. Hermes 2.1 is not decryptable just like ID Ransomware states. Never expose RDP to the web.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#21 masterHDD

masterHDD

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 17 May 2018 - 11:34 AM

Any news on the updated decryptor?



#22 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 AM

Posted 17 May 2018 - 11:57 AM

There never will be an "updated decrypter" unless the author leaks the private RSA key, or it is seized from them by law enforcement.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#23 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:10 AM

Posted 17 May 2018 - 02:35 PM

Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. That means there is always hope someday the developers of this ransomware will be caught.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#24 hadasek

hadasek

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 23 May 2018 - 06:54 PM

I wrote with them.. I wanted a test on one file.

No database, no backup and no archives for test.

 

The price is 1000$

 

But it's a lottery bet.



#25 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:10 AM

Posted 23 May 2018 - 08:16 PM

And the odds are never in the victim's favor.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#26 grumpyman

grumpyman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 01 June 2018 - 07:27 AM

Just a word to the wise...Just tried paying the ransom for the 'decryptor' for Hermes 2.1. The email addresses provided in this case seem to be different than the .ch ones that I have seen reported elsewhere, including above. In this case they were hrmsdecrypt@mail.com and novusordoseclorum100@gmail.com. The asked for ransom was .2BT, roughly $1,450.00 US at current rates. They had me send in one encrypted file, and they did decrypt it successfully and return the file to me as proof that the had the correct key. Having then paid the ransom, I got back a message that said:

 

Untill u start decryptor: turn off all antivirus software,stop all databases (if exist and have been ecnrypted),
add all local resources (what have been ecnrypted)
after it you must start DECRYPTOR.exe with admin privileges, choose 2 mode (fully automatic decrypt) and wait,
after decryptor finished u see the message.
For additional question u can write in anytim
Hermes Team
 
There was an 82kb file attached called decryptor.rar, which was totally bogus, it was not even a properly formatted rar file. Spread the word, DO NOT pay these guys, you will just be throwing good money after bad. These guys are idiots if they don't understand that if they are not at least going to return the decryption key when the ransom is paid the word is going to get out, and pretty soon they will have succeeded in putting themselves out of business. Couldn't happen to a nicer bunch of guys, if you ask me.

Edited by grumpyman, 01 June 2018 - 07:35 AM.


#27 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:10 AM

Posted 01 June 2018 - 08:24 AM

@grumpyman

 

As long as that decrypter has the proper RSA key, that's the important part. I can make a decrypter that would decrypt the files only if provided your individual private RSA key. Feel free to PM me a link to what they sent you and I can try to take a look.


Edited by Demonslay335, 01 June 2018 - 08:26 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#28 grumpyman

grumpyman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 01 June 2018 - 12:06 PM

@Demonslay335, thank you very much for the offer! I send you a link via PM as requested.



#29 Shurikan

Shurikan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 03 June 2018 - 11:22 AM

Hey, I have a question: after clicking a link to a municipality website from an e-mail (sent by a friend), a website popped up (with an ip-adress in the browser, something like 192.something) and started downloading loads of files. All of the downloads seemed to be blocked by my browser (chrome), but I'm still worried that I might have some virus on my pc. I downloaded the free version of comodo directly after (before only ran windows firewall) and when I restarted the computer I blocked "Hermes.exe" with the path: C:\Program Files (x86)\Acer\Acer Jumpstart\Hermes.ex , because I didn't know what this program was. I googled hermes.exe and came on this forum, but I don't know for sure if this program is the same as the Hermes ransom ware described here. And if so, what do I do? Other files that I blocked at starting up the computer: 

- C:\Users\marti\AppData\Local\OEM\Hermes\adunits\f5d6228503-180530\adunit\HermesTarget.cmd

- C:\Users\marti\AppData\Local\OEM\Hermes\adunits\f5d6228501-180529\adunit\HermesTarget.cmd

 

Also, what is your general advise for what I should do now?

 

edit: Just ran a scan with Comodo and it showed no threats.. 

 

edit2: I see 2 unknown files in my downloads folder. I've moved them to the bin for now.


Edited by Shurikan, 03 June 2018 - 11:31 AM.


#30 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:10 AM

Posted 03 June 2018 - 01:51 PM


If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users