A wallpaper with the e-mail [email protected] has started appearing randomly on the computers of victims on different locations. The wallpaper is associated with a ransomware virus, known as Explorer v1.58 and this virus uses the AES encryption algorithm to encode the files on the computers that have been infected by it. The ransomware then drops a ransom note, named READ_IT.txt and just like the wallpaper it demands for victims to make a hefty ransom payoff in order to get their files decrypted.
|Short Description||The ransomware encrypts files on your computer and changes the wallpaper with instructions to contact an e-mail to make a payment in order to get the files back.td>|
|Symptoms||Explorer ransomware encrypts the files and ads the .explorer file extension to them. Also changes the wallpaper with the image above and drops a ransom note file, named READ_IT.txt.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Explorer v1.58 |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Explorer v1.58.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does Explorer v1.58 Spread
In order to be widespread and infect the maximum amount of victims, the virus spreads a loader file associated with it’s primary executable, named “explerer.exe” with the following parameters:
The malicious executable of the ransomware virus can enter your computer primarily via spam e-mails. Such messages may advertise a loader that may drop the executable after it was opened. The malicious file may pose as legitimate document, such as Invoice, a receipt or a banking statement of suspicious activity in the banking account. In addition to this a message may come together with the attachment to convince victims in order to open the attachment. Most sophisticated spam mails may even use your name in the e-mail body.
Other methods besides this primary one include the usage of several different types of fake setups, key generators, software activators or other fake software uploaded on shady websites.
Explorer v1.58 Ransomware Analysis
When an infection takes place by the .explorer file virus, the victim may notice a brief slowdown on his computer. At this moment, the explorer virus aims to perform multiple different activities on the computer. One of them may be to begin modifying the primary system processes by injecting malicious code in them. It may attack the user UAC (User Account Control) and via it and other Windows modules obtain administrative permissions. These permissions allow the virus to read and write everything on your infected computer.
After obtaining permissions, the Explorer v1.58 threat may begin to modify the Windows Registry Editor, more specifically attack the following Windows Registry Entries:
Among the activity of Explorer v1.58 is to likely delete the backups on your computer including the shadow volume copies. This is achievable by the following administrative Windows Commands:
Among the activity of Explorer v1.58 is to change the wallpaper of the computer infected by it is to drop it’s ransom note and change the wallpaper o the victim’s computer. The ransom note is named READ_IT.txt and has the same message to the message in the wallpaper it changes:
Explorer v1.58 – Encryption Process
After the Explorer v1.58 ransomware has infected your computer, it will use the AES encryption algorithm to render the files on it, non-usable. The algorithm aims to replicate key data from the original file. Explorer v1.58 does not encrypt the whole file, since if it does this to each file, it will take a lot of time for the virus to complete the process. Instead, it only encrypts enough of the files to render them no longer openable. The Explorer virus targets primarily the following file types for the encryption process:
- Music and other audio file types.
- Image files.
- Photoshop documents.
- Microsoft Office documents.
- Adobe Reader .PDF files.
- Virtual Drives.
After the encryption process has completed the Explorer v1.58 ransomware virus aims to add the .explorer file extension as a suffix to the encrypted files:
Remove Explorer v1.58 and Restore .explorer Files
For the removal process of Explorer ransomware, it is strongly advisable to first back up your encrypted files and then focus on the removal. We advise you to follow the removal instructions below, since they are divided in manual as well as automatic removal instructions. Since manual removal may be a risky process, because Explorer v1.58 may tamper with system files, experts often advise to use a ransomware-specific malware removal tool for safe deletion of all files associated with Explorer v1.58.
Furthermore, if you want to restore files that have been encrypted by the Explorer v1.58 virus, we advise you to follow the alternative instructions in step “2” under “Automatic Removal” below. They are not a direct solution, but are a good temporary choice to recover as many files as you can, while a decrypter for the virus is released, which we will update and link here as soon as it is out.