Guide to Remove Hermes RaaS

Despite the incessant efforts of Cyber security professionals to curb cyber-crimes, cyber criminals are reluctant to take a back seat. Security threats are on the rise hitting critical services at large. These crypto maniacs have evolved vicious and harmful tactics over time to extort users of their hard earned money.

Among all the cyber threats launched, ransomware attacks are garnering more attention lately. Though Ransomware attacks are not new to the cyber world, They have certainly gained intensity over time. While people are still struggling with this form of cyber threat, attackers have moved a step ahead by launching Raas (Ransomware-as-a-Service) attack.

Under this service, threat actors provide a complete malicious kit capable of launching ransomware attack. Availability of these packages reduces the need to code malware. Subscription to this malicious model allows even a novice cyber-criminal to launch a ransomware attack without much difficulty.

This ransomware kit provides step-by-step instruction on the technical know-how to launch the ransomware attack. Once the attack is successful, the ransom money is shared among attackers, coders and service providers.

One such RaaS malware recently discovered is Hermes Raas virus. Criminal minds who aspire to earn easy money have to pay 5300 USD to purchase this malware kit. Additional sum is levied in order to make a purchase of supplementary distribution variants such as automated email accounts.

Hermes RaaS – Threat Behaviour

This malicious ransomware once injected infects the system files. The filenames are appended with ‘.hrm’ extension rendering them useless.

The victim is informed about the infection via a ransom note dropped on the system with the file name ‘DECRYPY_INFORMATION.html’. The note reads as:

The files that the ransomware Hermes RaaS targets include:

.bac, .cmb, .win, .htm, .html, .pfx, .pdf, .doc, .docx, .docm, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .jpg, .jpeg, .png, .bmp, .jiff, .key, .egg, .zip, .zipx, .7z, .rar, .jif, .csv, .msg, .dot and various other extensions.

All local drives are at risk with the devious injection of Hermes Ransomware in the system. The malicious system infection does not even spare external memory devices or shared directories on a network.

How is Hermes RaaS Distributed?

The ransomware is distributed via unsolicited email attachments. Hermes Ransomware exploits the vulnerabilities in macros, a feature that is useful to automate frequently used tasks in Microsoft files like excel and Word. Macros and all other active contents are disabled by default in Microsoft files.

Attachments that seek enabling of macros need to be carefully scrutinized as there is high probability that these files are malicious. Accidental or deliberate act of enabling the macros may entrap users in a vicious cycle. The malicious code is executed as soon as the document is opened.

To counter the increase in macro based malware threats, Microsoft released a new feature in Office 2016 that blocks macros form loading in certain high-risk scenarios.

As a user you need to be cautious in handling unsolicited email attachments. It is recommended that you disable the macro functionality in common word processor to avoid these corrupted macros to run automatically.

Never Pay Ransom!

Victims are advised not to fall in the trap and should never agree to pay the ransom under any circumstances, as they are often ignored once the ransom is paid. Moreover, if the victim pays ransom it helps cyber maniacs fund more activity of the ransom threat.

Threat Summary

Name – Hermes RaaS

Category – Ransomware

Targeted Operating System – Windows XP, Windows Vista, Windows 7, Windows 8.0/8.1, Windows 10

Symptoms – User’s files are encrypted. All locked files are appended with “.hrm” extension after the encryption and hence cannot be accessed by the user.

How to remove Hermes RaaS from the System?

Remove the Services installed by Hermes RaaS from the system using safe mode with command prompt.

Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.

After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:

1. Type the command “sc delete Hermes RaaS ” in the command prompt and press Enter.
2. Type “exit” to exit the command prompt and restart the system in safe mode with command prompt.

Tips to prevent your computer system from getting infected –

1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like Hitman pro and Avira so that it remains safe.
6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.

Hits: 101