Skip Navigation
BlackBerry Blog

Cylance vs. Hermes Ransomware

NEWS / 03.07.18 / The Cylance Team


Hermes, the ransomware suspected of being a state-sponsored creation, is making another run for your data.

Hermes was notoriously deployed as a distraction during the failed hack of Taiwan’s Far Eastern International Bank in 2017. During the attack, the malware infiltrated the bank’s infrastructure via infected Office documents.

This new variant is dubbed Hermes 2.1, after researchers spotted instances of code re-use while comparing it to the original Hermes malware.

Hermes Analyzed

The Cylance Threat Research Group recently examined Hermes 2.1 to see if this fleet-footed threat could outpace our detection. The original Hermes malware encrypted data, displayed detailed ransom instructions, and changed the desktop wallpaper.

A later version, one used in the attack on Taiwan’s Far Eastern International Bank, only displayed a popup reading “finish work” after encryption. Given the evolving nature of this malware, our team was interested in seeing how it operates today.

We made the following observations about Hermes 2.1:

The malware encrypts data by launching a svchostu.exe process from the user’s temp directory. Once the encryption completes it leaves an html file with an abbreviated ransom message:

Our testing revealed that the desktop background change implemented by original Hermes is absent from version 2.1.

Why is Hermes Important and Why Should I Be Concerned?

Hermes has gone through several iterations, indicating that it is a work in progress. Weaknesses discovered in earlier versions of this malware were fixed in later ones. Several sources attribute the creation of this malware to a nation-state. If true, considerable resources may exist for the continued development of Hermes.

In the US, new cybersecurity compliance legislation is being advanced. If passed, the new law will drive the prohibitive costs of data breaches even higher. The rising frequency of ransomware attacks and increasingly punitive legislation for data breaches should concern every business owner.

Cylance Stops Hermes

Our customers will be pleased to hear that Hermes 2.1 cannot keep pace with the preventative powers of Cylance. In fact, Hermes 2.1 was predicted and blocked by a version of our software released in October of 2015. By harnessing the power of artificial intelligence and machine learning, Cylance could stop Hermes 2.1 more than three years before it arrived.

Can your current antivirus solution claim the same?

The Cylance Team

About The Cylance Team

Our mission: to protect every computer, user, and thing under the sun.

Cylance’s mission is to protect every computer, user, and thing under the sun. That's why we offer a variety of great tools and resources to help you make better-informed security decisions.