.HRM Files Virus (Hermes 2.1) – How to Remove and Restore Files

.HRM Files Virus (Hermes 2.1) – How to Remove and Restore Files

This article has been created to help you remove the newer Hermes 2.1 ransomware variant and explain how to restore .hrm encrypted files on your computer.

The 2.1 variant of Hermes ransomware is here and much like other variants, it encrypts the files on your infected computer after which sets the .hrm file extension to them. The virus then leaves behind a ransom note, named DECRYPT_INFORMATION.html. It threatens victims and sks them to send BitCoins in order to have their files decrypted once again. The malware also uses advanced encryption in order to render a unique decryption key for each file or set of files. Since these keys are only known to the cyber-criminals it makes them the only ones in power to decrypt files directly. Despite that, paying the ransom is highly inadvisable. If your computer has been infected by Hermes ransomware, we recommend that you read this article thoroughly to learn how to remove Hermes 2.1 ransomware virus and how to restore your encrypted files without having to pay in BitCoin.

Threat Summary

NameHermes 2.1
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the infected computer, using RSA-2048 cipher. Demands a ransom payment in BitCoin to get them to open again.
SymptomsThe Hermes 2.1 ransomware encrypts the files, adding .hrm file extension after their name. After this, the ransomware drops a ransom note, named DECRYPT_INFORMATION.html on the desktop.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Hermes 2.1


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Hermes 2.1.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Hermes 2.1 Ransomware – Update August 2018

The Hermes 2.1 ransomware continues to spread in August, 2018. Last week security researchers at Proofpoint detected a large spam email campaign that carries a new significantly improved version of AZORult spyware. The primary purpose of this severe spyware is to steal various kinds of sensitive data from any compromised PC. However, AZORult v3.2 is set to drop the payload of Hermes 2.1 and trigger the ransomware infection on its secondary infection stage. The emails that were part of this malicious campaign were set to use employment offers as subjects but the theme could be changed in time.

Hermes 2.1 – How Is It Distributed

This virus has been reported by security researchers to be spread with the aid of malspam e-mails. These e-mails may contain the following infection objects:

  • A malicious link which leads to the download of the infection file.
  • A malicious web link that directly causes the infection by clicking on it.
  • The infection file masked as a legitimate document and uploaded in an .rar or .zip archive as an attachment to the e-mail.

In addition to these methods, other methods by which one can become infected with this variant of Hermes ransomware is via malicious exploit kits, fake updates as well as via infected installers of programs. There is also a possibility that you may encounter the infection file pretending to be license activator for programs or a game patch or crack.

Hermes 2.1 .hrm Ransomware – Infection Process

As soon as you become infected with this variant of Hermes ransomware, the infection file connects to a remote host and downloads the malicious payload of this ransomware. It consists of several files which may have the following names:

→ Reload.exe

After the payload of Hermes 2.1 .hrm files virus has been dropped, the malware may also create the following files on your computer:

→ Cversions.2.db
Computer Management.lnk
Multiple .db objects with random names, located in %Caches% directory.

Once those files are created and dropped on the victim’s computer, the malware may immediately start to use the method Evelen in order to bypass the UAC service. After this has happened, the .hrm files virus may execute the following Windows Command Prompt commands in order to erase the shadow volume copies of your computer:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The deleted shadow copies is also not restricted to one file type. Hermes 2.1 ransomware makes sure to erase the following backup file types:

→ .VHD .bac .bak .wbcat .bkf ,backup, .set, .win .dsk

As soon as the ransomware deletes your shadow volume copies, the .hrm files virus begins to modify the Windows Registry editor by adding custom Registry strings with values in them in the following sub-keys:

→ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “allkeeper” /t REG_SZ /d “%USERPROFILE%\Desktop\DECRYPT_INFORMATION.html” /f
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “sysrep” /t REG_SZ /d “%PUBLIC%\Reload.exe” /f
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “allkeeper” /t REG_SZ /d
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “sysrep” /t REG_SZ /d
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\allkeeper C:\users\User\Desktop\DECRYPT_INFORMATION.html

After this, the virus also drops it’s DECRYPT_INFORMATION.html:

Hermes 2.1 .hrm Virus – Encryption Process

To encrypt the files on your computer, the Hermes 2.1 ransomware uses Rivest-Shamir-Adleman encryption algorithm, known as RSA with a 2048 bit strenght. The virus targets specific file types for encryption, some of which are the following:

→ .accdb, .agif, .awdb, .bean, .cdmm, .cdmz, .cdr3, .cdr4, .cdr6, .cdrw, .clkw, .crwl, .ddoc, .djvu, .docm, .docx, .docz, .dotm, .dotx, .dtsx, .emlx, .epsf, .fdxt, .fh10, .fh11, .fodt, .fpos, .ft10, .ft11, .fwdn, .gdoc, .gfie, .glox, .gthr, .hpgl, .html, .icon, .idea, .itc2, .itdb, .jbig, .jpeg, .jpg2, .jrtf, .kdbx, .mbox, .mell, .mgcb, .mgmf, .mgmt, .mgmx, .mgtx, .mmat, .mobi, .mrxs, .pano, .pict, .pjpg, .pntg, .pobj, .pptm, .pptx, .psdx, .psid, .rctd, .reloc, .riff, .s2mv, .save, .scad, .sdoc, .smil, .ssfn, .sumo, .svgz, .text, .tiff, .utf8, .vrml, .vsdm, .vsdx, .vstm, .vstx, .wbmp, .webp, .wmdb, .xhtm, .xlgc, .xlsb, .xlsm, .xlsx, .zabw (700 more)

After the encryption process has completed, this ransomware virus renames the files on your computer and adds it’s distinctive .hrm file extension to them:

Remove Hermes 2.1 and Restore .hrm Encrypted Files

Before actually beginning to remove Hermes 2.1 ransomware, it is advisable to backup all of your important files. This ensures that nothing happens to them during the removal. After this, we recommend you to follow the removal instructions below. They are specifically divided in manual and automatic removal instructions and aim to help you to fully erase all associated files with Hermes. Furthermore, be advised that security experts always recommend to use an advanced anti-malware software in order to remove all files that are related to Hermes 2.1 ransomware and revert the settings on your computer modified by it automatically.

After removing Hermes 2.1 we recommend you to try the alternative methods for file recovery below in step “2. Restore files encrypted by Hermes 2.1”. They may not be 100% effective, but may help in restoring most of your files without you having to pay the ransom.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share