Hermes 2.1 ransomware virus

September 12, 2018

What is Hermes 2.1

Hermes 2.1 is a dangerous cryptovirus which is relying on several ransom notes which ask their victims to transfer the cryptocurrency in exchange for the decryption key.

How does Hermes 2.1 works

I have a strange HERMES 2.1 virus which plays music and demands to pay a ransom!  12/02/18 1

Hermes 2.1 is a ransomware-type cyber infection that belongs to the same family as Hermes ransomware and Hermes 2.0. It was detected at the end of 2017 by the group of cybersecurity experts attacking computers of English-speaking users. In March 2018, a new Hermes 2.1 ransomware variant has been detected. This time, it was targeting South Korea PC users via 7 exploit kit called GreenFlash Sundown Flash Player, which helped the virus to infiltrate systems undetected. The new variant is using AZORult trojan horse to get into target PC systems. In addition, the virus encrypts files by using a combination of RSA public key and AES cipher. Each encrypted file gets a .HERMES or .hrm file extension.

Hermes 2.1 ransomware virus Download Removal Toolto remove Hermes 2.1

Another feature of this dangerous cyber threat is that it deletes shadow volume copies. Likewise, people can only decrypt the corrupted files with the original decrypter or cloud backup copies.

The difference between the older and newer version of Hermes 2.1 is that it has started using a new file marker at the end of the compromised file’s content. According to the previous analysis, it used to leave HERMES file marker while now it has been supplemented with numerous random characters and symbols.

As it is mentioned above, new Hermes 2.1 virus variant doesn’t use the .HRM extension anymore. However, it is not the most important feature of the updated version. The latest offspring now combines AES-256 algorithm which is encrypted by RSA-2048 algorithm. This change makes it only harder for IT professionals to generate the decryption key because each encoded file features a diverse coding.

Although, other features of Hermes 2.1 remain the same — its developer still places the mp3 code of Vivaldi‘s Spring composition. Additionally, the perpetrator continues to mention Wichita State University located in Kansas city and leaves two emails with considerations whether these details were left intentionally or unintentionally:;

Fortunately, Hermes 2.1 malware and its newest version is already detectable by the majority of security applications as Trojan/Win32.AGeneric, Ransom.Hermes. Trojan.GenericKD.6154143, etc. It functions via the file called as ClrgraphicsOperation and My video.exe.

Certainly, the malware might disguise under alternative file. If you noticed some of your files already locked and marked with the .HRM extension or you receive DECRYPT_INFO.txt, and DECRYPT_INFORMATION.html, it is high time you initiated Hermes 2.1 removal.

You can remove Hermes 2.1 with the help of one of professional security software. We suggest using , but first your must disable the virus to unblock your system and get access to download the antivirus. Learn how to do that from the guide which is attached at the end of this article.

Download Removal Toolto remove Hermes 2.1

Hermes 2.1 is relying on AZORult trojan horse while spreading around the globe.

How to delete Hermes 2.1

South Korean Emergency Response Team (KrCERT) publicized about Hermes 2.1 ransomware virus which is currently attacking South Koreans via Flash Player vulnerability using a sophisticated exploit kit dubbed as GreenFlash Sundown. The same exploit has earlier been used by Lazarus, a group of North Korean hackers who have previously attacked Taiwanese bank.

Ransomware payload is being distributed via malicious Word Office documents. Multiple scam campaigns have already been initiated to spread the payload widely. The first attack has been initiated via compromised Korean website at the end of February 2018.

Once the Hermes 2.1 ransomware payload is executed, it creates a svchosta.exe file in %TEMP% folder. During the execution, the victim is asked for a permission to run the script. Even though the permission is not given, the virus starts encryption anyway.

Hermes 2.1 is hailing from a notorious Hermes family which is using several file extensions to mark encrypted files.

Upon encryption, it creates a file UNIQUE_ID_DO_NOT_REMOVE, which contains private RSA key and a ransom note named DECRYPT_INFORMATION.html in C:\Users\Public\ directory. The ransom note contains the following information:

Each encrypted files gets the HERMES file extension. The victim is asked to contact the crooks via or The size of the ransom is unknown, though it may vary from 200 to 1500 USD.

Ransomware researches noticed an interesting tendency of this ransomware to exit the encryption code it detects registry key for Russian (0x419), Belarusian (423), or Ukrainian (422) language codes. Thus, we can only guess that the North Korean hackers are collaborating with Russian-speaking countries.

The original Hermes 2.1 ransomware variant is known to be cracked down after security experts created a free Hermes decryptor. Despite some minor modifications, the core behavior of all three variants of this ransomware is very similar, so you should try a free decryptor.

Hermes 2.1 malware is not decryptable. However, there are several options that can be used for recovering locked data.

If the decryptor failed to unlock your files, the best solution you have is to remove Hermes 2.1 completely and then recover your data using backups or other alternative methods.

Those who wonder how to protect themselves from this infection has only one option – to install a reputable anti-virus and keep its definitions up-to-date. Besides, stay away from questionable email messages and DO NOT open their attachments.

Unfortunately, criminals employ multiple distribution techniques to help them infiltrate the ransomware on as many computers as possible. As a result, it might become hard to identify the potential sources of this dangerous cyber threat. However, we aim to raise awareness and help regular computer users protect their systems.

Download Removal Toolto remove Hermes 2.1

These are the most common attack vectors of ransomware:

Exploit kits; Malspam campaigns; Fake software updates or cracks; Trojan horses.

Considering the executable name, it is likely that the malware is spread in gaming sites at the moment. If you value your data, you should consider avoiding such domains. It is common knowledge that pirated software, keygens, and cracks have been popular tool exploited by malware developers.

Likewise, in order to limit the possibility of Hermes 2.1 hijack, install a couple of different security applications. In addition, be careful reviewing spam emails especially if they are sent by the official institutions. Examine the content of the message and inquire the official institution again to verify the received attachment.

Unfortunately, ransomware-type viruses are explicitly dangerous and hazardous computer threats. Even IT experts might struggle to remove Hermes 2.1 from the victimized systems. Likewise, regular computer users should not try to eliminate the malware without any assistance.

You can get rid of Hermes 2.1 with the help of robust malware removal software. However, this is a complex virus which might block your system and prevent you from installing the antivirus. You should de-activate the ransomware by booting you computer into Safe Mode.

Instructions on how to do that are appended at the end of this article. Afterward, you should be able to access the tool and complete Hermes 2.1 removal. Only after the elimination is complete, proceed to data recovery. Experts from suggest you might try using the free Hermes decrypter designed for the original version.

Stage 1: Delete Browser Extension

First of all, we would recommend that you check your browser extensions and remove any that are linked to Hermes 2.1. A lot of adware and other unwanted programs use browser extensions in order to hijacker internet applications.

Remove Hermes 2.1 Extension from Google Chrome

  1. Launch Google Chrome.
  2. In the address bar, type: chrome://extensions/ and press Enter.
  3. Look for Hermes 2.1 or anything related to it, and once you find it, press ‘Remove’.

Uninstall Hermes 2.1 Extension from Firefox

  1. Launch Mozilla Firefox.
  2. In the address bar, type: about:addons and press Enter.
  3. From the menu on the left, choose Extensions.
  4. Look for Hermes 2.1 or anything related to it, and once you find it, press ‘Remove’.

Delete Hermes 2.1 Extension from Safari

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Select Preferences from the list.
  4. Choose the Extensions tab.
  5. Look for Hermes 2.1 or anything related to it, and once you find it, press ‘Uninstall’.
  6. Additionally, open Safari Settings again and choose Downloads.
  7. If Hermes 2.1.safariextz appears on the list, select it and press ‘Clear’.

Remove Hermes 2.1 Add-ons from Internet Explorer

  1. Launch Internet Explorer.
  2. From the menu at the top, select Tools and then press Manage add-ons.
  3. Look for Hermes 2.1 or anything related to it, and once you find it, press ‘Remove’.
  4. Reopen Internet Explorer.In the unlikely scenario that Hermes 2.1 is still on your browser, follow the additional instructions below.
  5. Press Windows Key + R, type appwiz.cpl and press Enter
  6. The Program and Features window will open where you should be able to find the Hermes 2.1 program.
  7. Select Hermes 2.1 or any other recently installed unwanted entry and press ‘Uninstall/Change’.

Alternative method to clear the browser from Hermes 2.1

There may be cases when adware or PUPs cannot be removed by simply deleting extensions or codes. In those situations, it is necessary to reset the browser to default configuration. In you notice that even after getting rid of weird extensions the infection is still present, follow the below instructions.

Use Chrome Clean Up Tool to Delete Hermes 2.1

  1. Launch Google Chrome.
  2. In the address box, type: chrome://settings/ and press Enter.
  3. Expand Advanced settings, which you can find by scrolling down.
  4. Scroll down until you see Reset and Cleanup.
  5. Press on Clean up computer. Then press Find.

This Google Chrome feature is supposed to clear the computer of any harmful software. If it does not detect Hermes 2.1, go back to the Clean up computer and reset settings.

Reset Mozilla Firefox to Default

If you still find Hermes 2.1 in your Mozilla Firefox browser, you should be able to get rid of it by restoring your Firefox settings to default. While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

  1. Launch Mozilla Firefox
  2. Into the address box, type: about:support and press Enter.
  3. You will be redirected to a Troubleshooting Information page.
  4. From the menu on the right side, select Refresh Firefox.
  5. Confirm your choice by clicking Refresh Firefox in the new window.
  6. Your browser will close automatically in order to successfully restore the settings.
  7. Press Finish.

Reset Safari Browser to Normal Settings

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Press Reset Safari.
  4. A new window will appear. Select the boxes of what you want to reset or use the screenshot below to guide you. Once you have selected everything, press ‘Reset’.
  5. Restart Safari.

Restore Internet Explorer to Default Settings

  1. Launch Internet Explorer.
  2. From the top menu, press on Tools and then Internet Options.
  3. In the new window that opens, choose the Advanced tab.
  4. At the bottom of the window, below Reset Internet settings, there will be a ‘Reset’ button. Press that.

While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

Leave a Reply

Your email address will not be published. Required fields are marked *