Cylance vs. Hermes Ransomware


Hermes, the ransomware suspected of being a state-sponsored creation, is making another run for your data.

Hermes was notoriously deployed as a distraction during the failed hack of Taiwan’s Far Eastern International Bank in 2017. During the attack, the malware infiltrated the bank’s infrastructure via infected Office documents.

This new variant is dubbed Hermes 2.1, after researchers spotted instances of code re-use while comparing it to the original Hermes malware.

Hermes Analyzed

The Cylance Threat Research Group recently examined Hermes 2.1 to see if this fleet-footed threat could outpace our detection. The original Hermes malware encrypted data, displayed detailed ransom instructions, and changed the desktop wallpaper.

A later version, one used in the attack on Taiwan’s Far Eastern International Bank, only displayed a popup reading “finish work” after encryption. Given the evolving nature of this malware, our team was interested in seeing how it operates today.

We made the following observations about Hermes 2.1:

The malware encrypts data by launching a svchostu.exe process from the user’s temp directory. Once the encryption completes it leaves an html file with an abbreviated ransom message:

Our testing revealed that the desktop background change implemented by original Hermes is absent from version 2.1.

Why is Hermes Important and Why Should I Be Concerned?

Hermes has gone through several iterations, indicating that it is a work in progress. Weaknesses discovered in earlier versions of this malware were fixed in later ones. Several sources attribute the creation of this malware to a nation-state. If true, considerable resources may exist for the continued development of Hermes.

In the US, new cybersecurity compliance legislation is being advanced. If passed, the new law will drive the prohibitive costs of data breaches even higher. The rising frequency of ransomware attacks and increasingly punitive legislation (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Blog. Read the original post at: Cylance Blog