hermes

Also known as: hermes

Hermes is a ransomware family first observed in the wild in February 2017, believed to have been developed by a group operating out of Asia. It originally appeared as a Ransomware-as-a-Service (RaaS) offering on underground forums but later saw deployment in targeted attacks. Hermes uses AES-256 encryption to lock victim files and appends a variety of extensions (including .hrm and campaign-specific variants). The ransom note, often named DECRYPT_INFORMATION.html or DECRYPT_INFORMATION.txt, provides payment instructions via email. The ransomware gained notoriety in 2018 when it was used as a destructive wiper in the Far Eastern International Bank (FEIB) heist in Taiwan, where attackers deployed Hermes to cover their tracks after a SWIFT fraud operation. Over time, Hermes code has been re-used and integrated into other ransomware families, including some Ryuk builds, suggesting code sharing or purchase from the original developer. Distribution vectors have included phishing campaigns, malicious attachments, and exploitation of RDP services.

Introduction

Hermes is a ransomware family first observed in the wild in February 2017, believed to have been developed by a group operating out of Asia. It originally appeared as a Ransomware-as-a-Service (RaaS) offering on underground forums but later saw deployment in targeted attacks. Hermes uses AES-256 encryption to lock victim files and appends a variety of extensions (including .hrm and campaign-specific variants). The ransom note, often named DECRYPT_INFORMATION.html or DECRYPT_INFORMATION.txt, provides payment instructions via email. The ransomware gained notoriety in 2018 when it was used as a destructive wiper in the Far Eastern International Bank (FEIB) heist in Taiwan, where attackers deployed Hermes to cover their tracks after a SWIFT fraud operation. Over time, Hermes code has been re-used and integrated into other ransomware families, including some Ryuk builds, suggesting code sharing or purchase from the original developer. Distribution vectors have included phishing campaigns, malicious attachments, and exploitation of RDP services.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Wiper:
  • Xploit:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.