HermesVirus HT Ransomware

Posted: April 23, 2019

The HermesVirus HT Ransomware is a new version of the Hidden Tear project, a file-locking Trojan 'demonstration' by Utku Sen. This variant will lock your files and display a ransom warning on both the wallpaper and inside of a text message for collecting ransoms. Users can back up their work for ideal safety or use freeware decryptors that can unlock HT-blocked files after dealing with the HermesVirus HT Ransomware through appropriate anti-malware tools.

A Greek God that Might Be a Secret Russian

The deity with winged feet is a favorite theme for some threat actors, who return to it periodically via threats like the Hermes Ransomware, the Hermes 2.1 Ransomware update, the Hermes RaaS, and, most recently, the HermesVirus HT Ransomware. Out of all of these Trojans, however, the HermesVirus HT Ransomware is the sole one that malware experts are connecting to Utku Sen's Hidden Tear. HT is a notoriously free resource for criminals wanting a file-locker Trojan campaign without the talent for coding one from scratch.

The HermesVirus HT Ransomware searches for files that it can lock by encrypting them with the usual method of an AES (or Rijndael, as it's sometimes known) algorithm automatically. It places 'hermes' extensions at the ends of their names, although this change doesn't signify any underlying format alteration, besides the encryption. However, it does give victims an easy-to-search string for finding what media it hostages.

The HermesVirus HT Ransomware's other origin point of note is its possible connections to the Marozka Ransomware, a Russian Jack Frost-themed version of Hidden Tear. It drops a nearly identical ransom note in a TXT format but tells victims a different e-mail address for continuing the negotiations over a decryptor. The decryption solution may or may not be a hoax, but malware experts recommend that users double-check with compatible Hidden Tear decryptors, first, before taking any financially drastic actions.

Blaspheming against the Gods that Smite Your Files

Users can comfort themselves with the comprehension that the HermesVirus HT Ransomware isn't, despite the title, a virus, and can't inject its code into other files for propagating. However, it can block your work permanently, along with hijacking the desktop for turning it into a ransom warning and making other changes to your PC that endanger your data's security. Users should always keep their risk of infection from file-locking Trojan s minimal by:

Disabling macros while reading Word documents.
Updating software for lessened vulnerabilities.
Deactivating browser features like JavaScript and Flash.
Avoiding illicit download links.
Securing their networks with appropriately-strong login credentials.

The investigations of malware analysts can't determine whether the HermesVirus HT Ransomware is compatible with the currently-available, free decryption tools on the Web. However, a combination of secure backups and anti-malware products should keep your files safe and remove the HermesVirus HT Ransomware by default, respectively.

Ransomware-as-a-Service has 'no charge' competition from the likes of Hidden Tear, which the HermesVirus HT Ransomware takes advantage of for attacking users. All Windows computers remain at risk, at least, until their users learn to browse the Web safely.