Categories: Ransomware

Cyber Criminals Launch Hermes Ransomware Via Password Protected Word Documents

Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.

Hermes Ransomware Attack is wide spreading Ransomware nowadays with newly updated futures under constant development to target various countries.

Few Months Before attackers distributed Hermes ransomware through the flash exploit and attacks targetted on South Korean users.

Malware authors added many futures in newly evolved versions Ransomware such as change the method to get the Trojan key, algorithm, crypto-libraries and distribution method.

Also, they are using various obfuscation techniques to evade the detection of anti-virus software and maintain its persistance.

Currently discovered malicious word document protected with a password that shows a 1 / 59 detection rate in VirusTotal.

How does Hermes Ransomware Infection Works

Intially Hermes Ransomware distributed via malspam that claimes the job applications with malicious attached word documents.

Once user trying to open the documents, it keeps requesting the password to open the file and the password has mentioned within the mail body content with sending addresses ending in anjanabro.com.

After opening the document, a user asked to enable the macros with a security warning to proceed the malicious document to do further malicious activities.

According to SANS, After successfully opening the attached Word document and enabling macros, I only saw one HTTP request that returned a malware binary. This was Hermes ransomware, and it didn’t generate any post-infection traffic.

After completing the infection process, vicitms disk files will be completely encrypted and the ransom notes will be displayed on a desktop.

Ransom note indicates that the victim’s files are encrypted using RSA2048 algorithm with a unique public key and the user asked to pay the ransom amount in bitcoin.

Also, infected users can test 1 file as a token decryption key and attacker provide a contact email decryptsupport@protonmail.com for further instructions.