Do you know what Esmeralda Ransomware is?
According to our malware analysts, Esmeralda Ransomware is a release variant of Apocalypse Ransomware. This application is designed to encrypt nearly all of the files on your computer and offer you to purchase a decryption program and password for decrypting them. Even though a free decryption tool has yet to be released, we recommend that you remove this ransomware because it is unlikely that the cyber criminals will keep their end of the bargain and send you the decryption software. If you want to find out more about this highly dangerous piece of programming, please read this article as it contains the most recent information.
Our security specialists say that this ransomware is known to be distributed via malicious emails. The emails are said to include an attached file that carries this ransomware, and if the victim opens the file, it runs a malicious script and drops this ransomware’s executable on the PC. The emails it comes in can be disguised as anything from receipts to invoices and everything in between. The emails are designed to appear legitimate but tend to insist that you open the attached file gently. Researchers have found that it can also be distributed by exploiting Remote Desktop Protocol (RDP,) which is a proprietary protocol developed by Microsoft that allows the user to connect to another computer over a network and use it with a graphical user interface. Currently, there is no information about the exploit used to infect the computers, but, nevertheless, this method is not that effective and probably will not be used exclusively as RDP is not that widely used unless it is used in a targeted attack. Email spam, on the other hand, is sent to random users.Esmeralda Ransomware screenshot
Scroll down for full removal instructions
Our malware analysts have obtained a sample of Esmeralda Ransomware and tested it. They found that its main executable is deceptively named explorer.exe and is placed in %PROGRAMFILES%\Windows NT or %PROGRAMFILES(x86)%\Windows NT. Take note that explorer.exe is also the name of a legitimate executable that runs Windows Explorer and, in short, it is everything you see when you use Windows. Also, it will create several registry strings at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. These registry strings are referred to as Point of Execution (PoE) by cyber security experts. Basically, they launch the ransomware on system startup.
Testing has shown that this ransomware was configured to encrypt files in all locations on your PC with the exception the Windows folder where all of the OS files are stored. Also, I will not encrypt files with extension such as .dat, .bat, .bin, .encrypted, .ini, .tmp, .lnk, .com, .msi, .sys, .dll, and .exe. However, it will encrypt all other files that also include file types used to store images, videos, documents, and so on. Hence, this ransomware is set to target your personal files that you may hold valuable and would be willing to purchase the offered decryption software. It uses the AES encryption algorithm to encrypt your files and, as mentioned, there is no free way t decrypt the. However, we do not know how much money the cyber criminals ask for decrypting your files.
Once the encryption is complete, Esmeralda Ransomware will launch its graphical user interface (GUI) window and present you with the ransom note that states that Windows has encountered a critical problem and your files were encrypted to prevent damage. However, that is a blatant lie because this program’s developers are after your money. The note features the email address you have to contact in order to pay the ransom and then receive the decryptor and password.
You should refrain from paying the ransom, especially if the criminals demand that you pay much money because you might not get the promised decryptor and password. Esmeralda Ransomware blocks Task Manager from running so you cannot close its GUI to use your PC. However, if you boot up your PC in safe mode, then you can delete it manually, or install an antimalware application such as SpyHunter to remove it for you. Please refer to the instructions featured below.
Boot up your PC in Safe Mode with Networking
- Open the Start menu.
- Restart the computer.
- Press and hold the F8 key while your computer restarts.
- Use the arrow keys to highlight the Safe Mode with Networking, On the Advanced Boot Options screen and then press Enter.
Windows 7 and Vista
- Click the Start button click the arrow next to the Shut Down button, and then click Restart.
- Press and hold the F8 key while your computer restarts.
- Use the arrow keys to highlight Safe Mode with Networking, On the Advanced Boot Options screen and then press Enter.
Windows 8 and 8.1
- Simultaneously press Windows+C keys, and then click Settings.
- Click Power, hold down Shift on your keyboard and click Restart.
- Select Troubleshoot.
- Click Advanced options, and select Startup Settings.
- Click Restart and press 5 on your keyboard to Enable Safe Mode with Networking.
- Click Start and then click the Power button.
- Hold down the Shift key and select Restart.
- In the resulting full-screen menu, select Troubleshoot.
- Select Advanced options and choose Startup Settings.
- In the Startup Settings screen, press Restart.
- When the PC restarts use the arrow keys on your keyboard to select Enable Safe Mode with Networking.
Delete Esmeralda Ransomware
- Simultaneously press Windows+E keys.
- In the File Explorer’s address box, enter %PROGRAMFILES%\Windows NT or %PROGRAMFILES(x86)%\Windows NT
- Press Enter.
- Find explorer.exe, right-click it and click Delete.
- Empty the Recycle Bin.
- Simultaneously press Windows+R keys.
- Enter regedit in the dialog box and click OK.
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Find the string named Windows Explorer (with value data of C:\Program Files\Windows NT\explorer.exe)
- Right-click it and click Delete.
In non-techie terms:
Esmeralda Ransomware is a dangerous computer infection. It can be distributed in several ways and it is designed to infect your computer by stealth. Once on it, this ransomware is set to encrypt most of its files and then demand that you purchase the decryption tool and password to decrypt your files. However, you should delete this ransomware instead because the cyber criminals might not give you the decryptor and password.