February 17, 2017

Emsisoft CTO and Malware Researcher Fabian Wosar has stated in the past that he wanted to perform an educational live stream about reversing malware. Today, after GDaata security researcher Karsten Hahn discovered a new ransomware called Hermes, Fabian decided to use it as the sample for his first live streaming session.

The best part of it is that it turns out that this ransomware was able to be decrypted. This allowed those of us who were watching the live stream to get a first hand view of how a malware researcher analyzes and creates a decryptor for a new ransomware.

Fabian's Analysis shows that Hermes can be Decrypted

While analyzing the Hermes sample, Fabian found that the seed used to generate the encryption key could be attacked in order to create a decryptor. Once this was determined, Fabian displayed how this knowledge could be used to generate a key and a subsequent decryptor for encrypted files.

For those interested in this process, you can watch the full video, which is embedded below. I watched a good portion of the live stream today and it is an interesting way to gain a better insight as to how researchers analyze malware.
malware1While it has been shown that a decryptor can be made for the Hermes Ransoware, it is not available as of yet. Once it becomes available, I will add a link to it here.

Hermes Uses a UAC Bypass to Delete Shadow Volume Copies

When Hermes is executed, it will also use a User Account Control, or UAC, bypass called Eleven, or Elevation by environment variable expansion, to delete a victim's Shadow Volume Copies and backup files.

eleven                                                                                       Eleven UAC Bypass Folder

This bypass, which is best explained in the linked to article above, will allow a VBS file called Shade.vbs file to bypass User Account Control and launch with elevated privileges. This VBS file then launches a batch file called Shade.bat that is used to clear all of the Shadow Volume Copies and delete backup sets. The backup sets that are deleted are described in more detail in the next section.

Hermes Attempts to Delete Backup Files

As described in the previous section, Hermes will use a UAC bypass to execute a batch file called shade.bat. This batch file, shown below, will not only delete the computer's shadow volumes, but will also delete backup images that may be present on the computer. It does this to prevent a victim from restoring encrypted files from a backup.

shade bat                                                      Shade.bat File to Delete Shadow Volume Copies and Backups

The backup images that are deleted are ones that match the following filenames:
malware2How Hermes Ransomware Encrypts a Computer.

When the Hermes Ransomware is executed, it will copy itself to C:\Users\Public\Reload.exe and execute itself. It will then launch a batch file called system_.bat, which is used to delete the original installer as shown below.

system bat                                                                                      System_.bat Batch File

Hermes will then begin to scan a victim's computer and unmapped network shares for files that contain certain extensions and encrypt them using AES encryption. The list of targeted file extensions can be found at the end of this article.

It should be noted that when Hermes encrypts a file, it does not append a new extension to the encrypted file. It will, though, add a file marker at the end of the encrypted file's contents called HERMES as seen below.

file marker in encrypted files                                                                             File Marker in Encrypted File

While encrypting files it will create a ransom note named DECRYPT_INFORMATION.html and a file called UNIQUE_ID_DO_NOT_REMOVE in each folder that a file was encrypted. It is suspected that UNIQUE_ID_DO_NOT_REMOVE file contains the AES encryption key used to encrypt the files, which is further encrypted by a bundled RSA key. .This makes it so only the ransomware developer can decrypt this file and retrieve a victim's decryption key.

During this process, the ransomware will also delete shadow volume copies and backup files as described in the previous sections. When done, it will display the DECRYPT_INFORMATION.html ransom note that contains information on what happened to the victim's files, an offer to decrypt 3 files for free, and payment instructions.
ransom note                                                                                       Hermes Ransom Note

This ransom note includes two methods that a victim can contact the developer in order to get payment instructions. These are a Bitmessage address of This email address is being protected from spambots. You need JavaScript enabled to view it. and the email address This email address is being protected from spambots. You need JavaScript enabled to view it.. At this time it is not known how much the developer is demanding for the ransom payment.

The good news is that now that a decryptor is imminent, victim's will not have to pay to get their files back.  In the meantime, for those who wish to discuss this ransomware or receive support, you can use the Hermes Ransomware Help & Support Topic.

Files associated with the Hermes Ransomware
malware3Registry entries associated with the Hermes Ransomware
malware5Ransom Note Text:
malware6Hermes Contact Info:
malware7Targeted File Extensions:
News Courte
sy  :