Remove Hermes Ransomware

I wrote this article to help you remove Hermes Ransomware. This Hermes Ransomware removal guide works for all Windows versions.

Hermes ransomware is a win-locker virus. The origin of the insidious program is not known, but the email accounts the hackers use to communicate with their victims leave room for assumptions. They use two email accounts to correspond with people. The main is hosted by a Swiss client, while the reserve has been registered on an Indian platform. Hermes ransomware performs the usual tasks for a win-locker. Once penetrating a computer, the nefarious program encrypts the user’s personal files. It then proceeds to notify the victim about the occurrence and tell him what he needs to do to regain the access to his data. The cyber criminals behind Hermes ransomware require victims to pay a ransom.

You may not realize how and when your computer got infected. Hermes ransomware is distributed through an obscure technique, known as spam email campaigns. The secluded program travels under cover, hidden behind attached files. The host for the win-locker can be a text document, an image, an archive, or a zipped folder. The sender will present the file as an important document and urge you to tend to it right away. In many cases, spammers write on behalf of legitimate companies and entities, like the national post, the local police department, courier firms, government branches, banks, social networks, and others. The download and install of Hermes ransomware is conducted via background processes which makes it seamless. The best way to prevent the virus from entering your system is to proof the reliability of your emails. Check the contacts to confirm the sender is who he claims to be.

Hermes ransomware targets a wide specter of files. Examining infected machines, researchers have discovered that the win-locker encrypts 681 different formats. This includes documents, databases, archives, images, audios, videos, and other essential storage formats. To encrypt such a wide range of file types, Hermes ransomware uses a combination of RSA-2048 encryption algorithm and AES-256 cipher. Upon completing the encryption process, the malevolent program drops a ransom note and an additional file on the hard drive. A copy of these objects is placed on the desktop and in some of the folders which contain encrypted data. The ransom note is titled DECRYPT_INFORMATION.html. It explains what you need to do to have your files restored.

The accompanying file is titled UNIQUE_ID_DO_NOT_REMOVE. As its name hints, it contains an ID number. The creators of Hermes ransomware have set the malignant program to generate a unique ID for each infected device. The file is in an unspecified format. One of the main requirements of the cyber criminals is for the user to send it to them. Victims have to contact the developers of Hermes ransomware in order to receive instructions on the payment process. They have two email accounts. The primary account is BM-2cXfK4B5W9nvci7dYxUhuHYZSmJZ9zibwH@bitmessage.ch. People need to send an email to this address first. If they do not receive a reply, then they can send a letter to the reserve address: x2486@india.com. The hackers give users the chance to have three files of their choice decrypted for free. You have to send them with the message as attachments.

While we do not know what the amount of the ransom is, the ransom note does disclose the payment method. The cyber thieves require victims to pay in bitcoins. This is a cryptocurrency which protects the identity of the sender and the recipient in the transaction. For this reason, it is the preferred means of payment for illegal deals. Be advised that paying the developers of Hermes ransomware does not guarantee that the problem will be solved. The hackers may not provide the decryption key. Even if they do, they could leave traces of the win-locker in your system and reactivate it in time. You should take actions into your own hands and delete the virus on your own. For this purpose, you will need a professional anti-virus program.

There are instructions on how to remove Hermes ransomware from your system below. It should be noted that the rogue program tries to delete the shadow volume copies of the encrypted files. These fragments can be used to restore the locked data. This is why the win-locker tries to eradicate them. The sinister program uses a file called Shade.vbs to bypass the User Account Control (UAC). This gives the file elevated privileges. It will use them to launch a batch file called Shade.bat. This object executes the task of deleting shadow volume copies. Analysis has revealed that the code of Hermes ransomware can be broken. You may have to wait, but a custom decrypter will be developed in time. Remember, your files will not be deleted. They will just remain locked.

Hermes Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Hermes Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Hermes Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.