How to Remove Explorer Ransomware

How to Remove Explorer Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

Attention!!!
All Your Documents, Photos, Databases And Other Impotant Personal Files were Encrypted By A Strong Algorithm With Unique Key.
To Restore Your Files, Contact Us With Email Address:
decrypter.files@mail.ru
NOTE: If you Email Us in less than 24 hours , you will be paying half the regular price
your ID=
Explorer V1.58

Explorer Ransomware is the newest member of its malicious family. This virus is a classic. It slithers into its victims’ computers unnoticed and wreaks havoc. Once in, it scans your HDD for target files. Its goal is to lock your personal files. Pictures, documents, databases, archives, videos, etc. Since it adds the “.explorer” extension at the end of all encrypted files, Explorer is quite easy to be recognized. Thus, if you have a file named example.jpeg, the virus will rename it to example.jpeg.explorer. You can see your files, yet, you cannot open or use them. Explorer Ransomware uses a combination of RSA and AES encryption algorithms. These algorithms are the strongest known. Yet, the virus doesn’t stop just here. It also deletes the Shadow Copies of your files. Thus, the decryption process becomes quite problematic. Currently, there is no alternative way to restore your documents. Yet, we recommend against paying the ransom. Always keep in mind that you are dealing with criminals. You cannot expect them to play fair. The crooks did not specify the exact amount of the demanded ransom. You are supposed to contact them via email (decrypter.files@mail.ru). Do NOT do it! Do not contact the hackers. They have proven to be smart and cunning. For instance, the ransom note of the virus reads that if you contact them within 24 hours, they will give you a discount. “Half the regular price” is what they promise. What is the regular price, however? These are just tricks. Psychological games that are supposed to lure you into acting impulsively. Whatever you do, do not rush. Take a minute to consider the situation. Think about your external devices. Maybe one of them contains backups of your system or files. If that is the case, you can use them to restore your data for free. Before you plug your devices in, make sure you have deleted the ransomware. Otherwise, Explorer will infect them too.

How did I get infected with?

Explorer Ransomware relies on spam emails to reach its victims. The crooks tend to write on behalf of well-known organizations and companies. They usually attach corrupted files to their messages. These files contain a macro script which executes the moment you open the file. The attached files are not viruses. Thus, your anti-virus program will not detect them as dangerous. Yet, they download the virus. So, avoid all attached files. If you receive a message from a stranger, check the sender’s contacts. If, for example, you get a letter from your bank or any other organization, go to their official website. You will be able to find their authorized email addresses there. If they don’t match with the one you have received a letter from, delete the pretender immediately. You can also enter the questionable email address into some search engine. If it was used for shady business, someone might have complained already. The Internet is a dangerous place. It is roamed by many dangerous parasites. Your vigilance, however, can protect your computer. Download your software from reliable sources only. When you are about to install a program, opt for suspicious signs. If you are offered an advanced installation wizard, choose it without hesitation. The advanced installation is not complicated. Only under it can you see whether there are extra programs about to be installed. Make sure you understand what you approve on your computer. Always read the terms and conditions/EULA. If you spot anything out of the ordinary, abort the installation.

Why is Explorer dangerous?

Explorer Ransomware is extremely dangerous. It works in the shadows and is impossible to be stopped in time. If you have seen its ransom note, it is already too late. The virus has locked all your files. It urges you to contact its owners. Do not do it. Do not get in touch with criminals. These people will double-cross you. Their virus is on your computer. But they do not have a way to contact you. If you send them a message, they can use your email address to threaten and terrorize you. Besides, even if they offer you a good deal, you will have to pay in Bitcoin. This currency is untraceable. Hackers tend to ignore the victims once the ransom is paid. No one can guarantee you that they will keep their part of the deal. You are in a situation with a lot of “Ifs.” Even if they contact you, even if they send you a key, even if they send you a working decryption tool… Your first task should be the removal of Explorer. If you don’t remove the ransomware by yourself, you cannot use your computer freely. The decryption process does not delete the virus. If you restore your files but forget to delete the parasite, your files will get re-encrypted. So, don’t rely on your luck. Take action against the ransomware. Download a trustworthy anti-virus program and delete Explorer Ransomware for good.

Explorer Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Explorer Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Explorer encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Explorer encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.