Hermes RaaS

The Hermes RaaS is an encryption ransomware Trojan that was first observed in August 2018. The Hermes RaaS is part of a Ransomware as a Service platform that has been active since early Spring of the same year, and seems to be derived from the Hermes 2.1 Ransomware, which was first observed in November of the previous year. The Hermes RaaS variants are being delivered to victims through typical distribution methods associated with encryption ransomware Trojans, such as corrupted advertisements, spam email attachments, and hacking into the victim's computer directly.

A Messenger of the Gods was Sent to Attack Your Machine

The Hermes RaaS variants carry out a typical version of the encryption ransomware attack, using an encryption algorithm to encrypt the user-generated files on the victim's computer. The Hermes RaaS targets the files listed below in its attacks:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

Criminals looking to use the Hermes RaaS for attacks pay about 5300 USD for the Hermes RaaS toolkit and can purchase additional distribution variants, such as automated email accounts, for additional fees. The Hermes RaaS variants tend to mark the files encrypted by their attacks by adding the file extension 'HRM' to the file's name. The Hermes RaaS delivers a ransom note in an HTML file named 'DECRYPT_INFORMATION.html,' which is dropped on the infected computer. The Hermes RaaS delivers versions of the Hermes RaaS in five different languages and contains the message:

'HERMES 2.1 RANSOMWARE
All your important files are encrypted
Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.
There is only one way to get your files back: contact with us, pay, and get decryptor software.
You have "UNIQUE_ID_DO_NOT_REMOVE" file on your desktop also it duplicated in some folders,
its your unique idkey, attach it to letter when contact with us. Also you can decrypt 3 files for test.
We accept Bitcoin, you can find exchangers on hxxps://www.bitcoin[.]com/buy-bitcoin and others.
Contact information:
primary email: BM-2cTSTDcCD5cNqQ5Ugx4US7momFtBynwdgJ@bitmessage.ch
reserve email: BM-2cT72URgs1AWGV6Wy6KBu2YUj3ychN5vxC@bitmessage.ch'

One unique aspect of the Hermes RaaS is that the variants of this threat are designed not to attack computers where the default keyboard layout is Russian, which may point to the Hermes RaaS's origin and intended targets.

Protecting Your Data from the Hermes RaaS and Its Variants

File backups can nullify the damage caused by the Hermes RaaS and its variants, as with most encryption ransomware Trojans. The backup copies of your files, which should be stored on external devices makes recovering from a Hermes RaaS attack not too difficult. The Hermes RaaS infection itself can be intercepted or removed with the help of a security program. However, these security programs may not be capable of restoring the files encrypted by the Hermes RaaS's attack without a decryption key.