Esmeralda Ransomware

What is Esmeralda Ransomware?

We want to inform you about a newly released malicious program dubbed Esmeralda Ransomware which is designed to encrypt your files with a military grade encryption algorithm. Removing this malware from your PC is of utmost importance because there is no telling whether its developers will send you the promised decryption key. In this short description, we will talk about how this application works, how it is distributed, and how you can safely delete it from your PC.testtest

What does Esmeralda Ransomware do?

Our security experts have acquired and tested this ransomware’s sample and found that its main executable is named explorer.exe (not to be confused with the legitimate explorer.exe) that is dropped in %PROGRAMFILES%\Windows NT or %PROGRAMFILES(x86)%\Windows NT. It also creates a Point of Execution (PoE) at the registry level at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The registry string found in the key above is named Windows Explorer and has the value data of its location that can be C:\Program Files\Windows NT\explorer.exe or C:\Program Files (x86)\Windows NT\explorer.exe. Also, it will create another registry string named LegalNoticeText at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon which is shown to the user on system start up as well.

Our security experts have found that Esmeralda Ransomware was designed to encrypt the files on your computer using the AES encryption algorithm. It was configured to encrypt most file types in nearly all locations on your PC except .dat, .bat, .bin, .ini, .tmp, .lnk, .com, .msi, .sys, .dll, and .exe file types located in the Windows folder. Furthermore, it is designed to append the encrypted files with the .encrypted extension and drop a file named How_To_Decrypt.txt in each folder where it encrypted the files. The AES encryption is very advanced and decrypting it is rather difficult, but this is subject to whether a program has other vulnerabilities that can be exploited. At present, there is no way to decrypt the encryption of Esmeralda Ransomware, but purchasing the decryption key from its developers is risky because you might not receive it. If you do not want to pay the ransom, then you can close this ransomware’s locksceen by pressing Alt+F4. However, it is set to block Task Manager and Windows Explorer, so you have to boot up Windows in Safe Mode to delete the files manually or install an antimalware program.

Where does Esmeralda Ransomware come from?

Our malware researchers say that Esmeralda Ransomware is a release variant of Apocalypse Ransomware, so both of these infections are very similar. Like its predecessor, this new ransomware is said to be distributed by attackers exploiting Remote Desktop Protocol (RDP) which is protocol developed by Microsoft, to provide a user with a graphical interface to connect to another computer via a network connection. As far as we know, this is the only distribution method used, but it is highly ineffective, so our researchers suggest that this ransomware may also be distributed via email spam or infected websites. Email spam can feature this infection as an attached file that will be secretly dropped when you open the attachment. Infected sites on the other hand feature exploit kits that interact with your web browser and using Java or Flash vulnerabilities infect your PC.

How do I remove Esmeralda Ransomware?

We hope that you found this description useful and you are now ready to take action against Esmeralda Ransomware because there is no telling whether the developer will send you the decryption key after you pay. This ransomware uses an advanced encryption method, and there is no free decryption tool, at least for the time being. Nevertheless, we recommend that you remove this ransomware instead using the guide provided below or an antimalware application such as SpyHunter (download and installation of any antimalware program requires computer to boot in safe mode with networking) to continue using your computer.

Boot up your PC in Safe Mode with Networking

Windows 10

  1. Click Start and then click the Power button.
  2. Hold down the Shift key and select Restart.
  3. Select Troubleshoot.
  4. Select Advanced options and choose Startup Settings.
  5. Press Restart in the Startup Settings screen,
  6. When the PC restarts use the arrow keys on your keyboard to select Enable Safe Mode with Networking.

Windows 8 and 8.1

  1. Hold down Win+C, and then click Settings.
  2. Click Power, hold down Shift on your keyboard and click Restart.
  3. Select Troubleshoot and click Advanced options.
  4. Select Startup Settings.
  5. Click Restart and press 5 on your keyboard to Enable Safe Mode with Networking.

Windows 7 and Vista

  1. Click the Start button click the arrow next to the Shut Down button, and click Restart.
  2. Press and hold the F8 key while your computer restarts.
  3. Use the arrow keys to highlight the Safe Mode with Networking on the Advanced Boot Options screen and press Enter.

Windows XP

  1. Open the Start menu and click Restart.
  2. Press and hold the F8 key while the computer restarts.
  3. On the Advanced Boot Options screen, use the arrow keys to highlight the Safe Mode with Networking.
  4. Press Enter.
  5. Log on to your computer.

Delete Esmeralda Ransomware

  1. Hold down Win+E keys.
  2. In the File Explorer’s address box, enter %PROGRAMFILES%\Windows NT or %PROGRAMFILES(x86)%\Windows NT
  3. Press Enter.
  4. Locateexplorer.exe, right-click it and click Delete.

Delete the registry entries

  1. Hold down Win+R keys.
  2. Enter regedit in the dialog box and click OK.
  3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Find the string named Windows Explorer (Value data: C:\Program Files\Windows NT\explorer.exe)
  5. Right-click it and click Delete.
  6. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  7. Find LegalNoticeText and delete it.
100% FREE spyware scan and
tested removal of Esmeralda Ransomware*

Leave a Comment

Enter the numbers in the box to the right *