Hermes666 Ransomware - How to remove

Has Hermes666 encrypted your files? Do the files refuse to open anymore? Do they have the “.Hermes666” extension as a part of their names now? If yeas, you must have become a victim of a cryptovirus. This malware is serious because it can cause irreparable harm by locking up the victim’s files. You can still see the files, even open them as text, but not access any useful information — the virus turned the data of your files into indecipherable garbage. And, for some victims, the files can never be recovered.

Hermes666 happens to be closely related to Mr-X666, Hades666, and other members of the Maoloa group. These infections are spread and new ones are developed by criminals who demand money from their victims. In exchange for large sums of money, they promise to fix the files. This online extortion is illegal, but probably effective enough to keep the criminals coming back and releasing new versions, continuing to hurt new victims.

Is the Hermes666 ransom note right?

HOW TO BACK YOUR FILES.txt is the name of the ransom note that Hermes666 leaves on your computer after it’s done locking the files. The note goes like this:

YOUR FILES ARE ENCRYPTED !!!
TO DECRYPT, FOLLOW THE INSTRUCTIONS:
To recover data you need decrypt tool.
To get the decrypt tool you should:
1.In the letter include your personal ID! Send me this ID in your first email to me!
2.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool!

DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:
[email protected]
ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:
…

Most of your files are broken with an encryption algorithm and marked with the “.Hermes666” extension. And, sadly, the criminals are correct about that. Each decryption key is different for each victim, so if there is anyone who was able to successfully unlock their data, their key won’t work for you and will only corrupt the files further.

There is also doubt about whether the data is decrypted for those who pay. Paying the developers of Hermes666 their ransom is great for the crooks, but there is no way for them to be held responsible if they fail to send back a working decrypter and a decryption key. Thus, the general statistics of victims restoring data after having paid the ransom are abysmal. That should only be done in the most desperate situations.

Next, Hermes666’s developers shout at you to not touch your files. It’s against their interests to mention that you can safely copy those files onto a backup and play with them as much as you want. As long as you have the originals, it’s fine. The locked Hermes666 files aren’t even dangerous, so they can be put on other computers without any concern. Only the files that belong to Hermes666 are dangerous.

The reason you might want to explore the files, if you have the time, is that some file types aren’t properly encrypted by some ransomware. Occasionally, though rarely, it’s possible to recover a few files by just renaming them and removing the “.Hermes666” appendage. Don’t rename the original encrypted files and don’t lose the ransom note if you ever hope to decrypt them, though.

How malware like Hermes666 spreads

It’s very important to know how Hermes666 and other malicious programs spread because that should help you avoid some future infections which can result in leaked private data, accounts hacked by criminals, stolen money, even hijacked hardware! Some viruses are genuinely scary but a lot of them are totally avoidable by just having good browsing habits.

Ways for malware to infect your computer include:

• Infected files that arrive on email. Malicious email spam is a problem because the letters can be so convincing. A bill, an urgent invoice? A package that could not be delivered? A warning that someone tried to log in to your account? Phishing links and infectious files are spread by malspam all the time, and quite effectively. So, make sure to scan each file before you open it. Configure your Windows to show file extensions. Don’t enable macros on documents. Be skeptical of letters which arrive from unknown recipients and which don’t address you by name, but also remember to watch out for targeted attacks.
• Hacked Remote Desktop accounts can be used to install Hermes666 or any other malware by criminals — if the RDP isn’t properly protected and uses weak credentials. This type of attacks isn’t relevant to those who have RDP turned off.
• Infected ads and websites are used to deliver ransomware a lot like Hermes666 to unsuspecting bystanders. Luckily, it’s not inevitable that you’ll get infected if you land on a malicious site. People surfing the Web with an outdated browser or media player are the most vulnerable. Those who haven’t updated their OS and anti-malware software are at risk, too.
• Infected files are disguised and then made available for download. If Hermes666 manifested on your computer shortly after some other program was downloaded, then maybe that other program’s installation was compromised by Hermes666’s developers. It’s known that, sometimes, a safe program is infected and then distributed unofficially, on spoofed sites or filesharing networks.

Browsing the Web safely, installing security updates, and, most importantly, backup up your data can protect you against some of the biggest threats.

How to remove Hermes666

Most basic anti-malware programs, like Spyhunter, can detect ransomware, even in safe mode. You can delete Hermes666 manually if you know where the files are. You can also choose automatic removal if your antivirus program offers it. Either way, make sure to scan your device after the removal to make sure that no malicious software is left on your device.

Automatic Malware removal tools

As for restoring the files, that’s not so easy — except for those who had file backups from before the infection. Backups are important and they can save you from experiencing stress and anxiety if you suddenly can’t access your files on your main computer, whether because of Hermes666, or some hardware failure.

Free decrypters are sometimes created and made available to everyone. But not all cryptoviruses are decryptable, and even if Hermes666 is, it could take months or years to decrypt it. That’s not helpful if you need your data now.

Data recovery options that don’t rely on decryption are described here, below. But the chances of success depend on your individual circumstances, such as if you had system restore on. That’s why I can’t guarantee that the files locked by Hermes666 can be restored.

How to recover Hermes666 Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Hermes666 Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Hermes666 Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Hermes666 Ransomware. You can check other tools here.  

Step 3. Restore Hermes666 Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Hermes666 Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Hermes666 Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.