Hermes 2.1 ransomware corrupts your files and marks them with the HRM extension. Hermes 2.1 spreads with malicious ads and infected documents. The victims are asked by the crypto extortionists to pay money to get their files back. There’s no free decryption tool available for Hermes 2.1.
Hermes 2 1 Hrm quicklinks
- Hermes 2.1 infection symptoms
- How to get your files back.
- How to remove Hermes 2.1
- Automatic Malware removal tools
- How to recover Hermes 2.1 HRM encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Hermes 2.1 HRM encrypted files
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
In short about Hermes 2.1:
| Type of threat | Ransomware. |
|---|---|
| How Hermes 2.1 spreads | With malicious ads,
with malicious emails, in infected documents. |
| How to get your files back | Restore from backups,
restore deleted files with special software. |
| How to remove Hermes 2.1 | Delete all the malicious files,
scan your computer with an anti-malware tool, like SpyHunter, to get rid of the infection. |
Hermes 2.1 infection symptoms
During a Hermes 2.1 attack, you may be asked a few times to allow unknown programs and files to make changes to your computer. Some of us are used to clicking “Yes” to every prompt like this. But be aware that they can be signs of malware. Hermes 2.1 requires you to accept the prompt to delete your backups and shadow volume copies, to make it harder to restore your files.
After a Hermes 2.1 attack, your files suddenly have the HRM extension at the ends of their names, for example:
picture.jpg.[[email protected]].HRM
You just can’t open these files. They’re encrypted. This means that Hermes 2.1 scrambled their insides, turning the symbols random. The files don’t make any sense to the programs that are supposed to read them. The only way to reverse this is to run them through a decryption algorithm with the only correct decryption key. Using the wrong key or changing the encrypted files even slightly can ruin them and make decryption impossible.
And everywhere on your computer, ransom notes called DECRYPT_INFORMATION.html show up. These are Html files – documents in the worm of a webpage. They just say that “All your important files are encrypted…”, not very different from the Hermes 1 version.
You may question how Hermes 2.1 infected your computer. One option is spam emails with malicious attachments. These attachments were usually Office documents that contained malicious macros. Here is one example on VirusTotal. Hermes 2.1 also used a security bug in outdated Flash Players. Another option is infected websites that redirect visitors to malicious sites. The owner of the infected website might not even know about the infection.
Hermes 2.1 spread since at least the beginning of 2018. It seemed to calm down in the middle of 2019 (though other versions of Hermes, like 837 and 666, appeared) but recently, a few new reports about infections cropped up, which is why I’m writing about this.
How to get your files back.
When the first version of Hermes came out and started infecting people, a free decrypter was soon released thanks to Fabian Wosar and Michael Gillespie, two famous ransomware hunters. But the criminals who made Hermes fixed the flaws and upped the security of their malware. Subsequent versions of Hermes were stronger.
Hermes 2.1 has been around for almost two years. Despite it being so long, victims sometimes still crop up. Researchers and analysts have combed through it searching for flaws, but they have not found any to exploit. There is no free decrypter for HRM files and there might never be one. In fact, some people claiming to be the makers of Hermes 2.1 said that when they retire, they would delete the decryption master key and no one will get to decrypt their files then. So, you will need to find another way to get your files back.
Among your options are these:
- Restore your files from a backup. Even if you don’t have a backup, check other devices and cloud storage to find your important files. Maybe you saved them on your phone, emailed them to someone, or had One Drive turned on, and can find some of your files there?
- Restore your files from Shadow volume copies. Even though Hermes 2.1 usually deletes those, there’s always a chance it malfunctioned or something.
- Undelete files using a data recovery program. If the drive that Hermes 2.1 attacked is a hard disk, you may be able to recover some valuable data.
- Put the HRM files and the C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE file somewhere safe and wait. There’s always a slim chance that the decryption keys will be released. The encrypted files are not dangerous, only the executables of Hermes 2.1 are.
Steer clear of scammers. Be suspicious of anyone who promises to fix your files for a fee. These people prey on desperate victims and ask them to pay money repeatedly and then run away.
How to remove Hermes 2.1
To clean your computer of Hermes 2.1, you need to remove the infection and all the files associated with it. For example, if you still have the file that contained the original script for downloading Hermes 2.1, it is still dangerous and could re-infect your computer if you don’t delete it. The HRM files are not dangerous, though, and you can feel safe keeping those.
Hermes 2.1 is detected by most competent antivirus programs and you can use any good program to clean your computer – for example, there’s SpyHunter. This can’t fix your files, but it will remove the malware that encrypted them. This way, Hermes 2.1 can’t re-encrypt anything.
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
How to recover Hermes 2.1 HRM encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Hermes 2.1 HRM has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Hermes 2.1 HRM
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Hermes 2.1 HRM. You can check other tools here.Step 3. Restore Hermes 2.1 HRM affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Hermes 2.1 HRM tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Hermes 2.1 HRM encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.
