Home Malware Programs Ransomware Explorer Ransomware

Explorer Ransomware

Posted: July 19, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 51
First Seen: July 19, 2017
OS(es) Affected: Windows

The Explorer Ransomware is part of the Hidden Tear family of Trojans that encrypt your media, such as pictures, audio, or documents, to stop you from opening it. Its attacks also include multiple methods of delivering messages asking for money to decrypt the files back to their non-encoded versions. Use either backups or free decryption tools for recovery, as needed, and anti-malware products for removing the Explorer Ransomware from an infected PC.

The Advance Warning of a Trojan's Typo

It's an unusual week that doesn't see multiple releases of Hidden Tear from different groups of threat actors, and July is, so far, not disputing that historical pattern. One new version of the HT family is fully functional but, oddly, also includes an uncorrected misspelling in its file data that contrast with its payload. This minor formatting issue could help possible victims avoid an infection by identifying the inappropriate file before it's too late to save their media.

Samples of the Explorer Ransomware are in circulation with '.explorer.exe' as the current name. This choice of filenames could be a botched attempt to disguise the Explorer Ransomware as being a Windows component, but other aspects of the payload imply that its threat actors also are using it as the campaign's brand identity. The Explorer Ransomware's initial attacks use the AES-based encrypting methods to lock the media of any Windows PC it runs on, which targets content like PDF documents and the output of major Microsoft programs like Office.

The Explorer Ransomware places '.explorer' extensions on every name for files locked by the above function. Regarding other visual symptoms, malware analysts also may verify that the Explorer Ransomware replaces the desktop wallpaper and also creates a separate text note, both of which carry the same instructions on paying ransoms for the decryptor. Interestingly, the Explorer Ransomware's phrasing in the message implies that the victim is getting a discount for paying quickly, rather than being penalized for paying too late, which is a simple but possibly effective social engineering tactic.

Stopping an Exploration of File-Blocking for Pay

While the Explorer Ransomware's campaign may be self-sabotaging, due to sheer carelessness, victims of its attacks will remain in possession of damaged files that can't open. The frequency of updates to file-encrypting Trojans like Hidden Tear makes it particularly valuable to protect any media of value by backing it up. Local backups may be at risk, especially with the Explorer Ransomware and other versions of its family, which can delete Windows Shadow Copies.

Although the Explorer Ransomware does provide symptoms of an infection that any user may recognize, these issues always appear after the encryption function has its intended impact. Disabling browser content often subjected to exploitation, such as JavaScript, and analyzing suspicious downloads and links (particularly ones received by e-mail) can eliminate many of the strategies the con artists use for installing Trojans. Malware experts recommend using both free decryption software specific to Hidden Tear and proper anti-malware products for protecting your files and deleting the Explorer Ransomware.

If something seems wrong with a file on your computer, your intuition may not be a false alarm necessarily. File-encrypting Trojans and other, 'black hat' programs often give themselves away with intentional or accidental typos, as shown so plainly with the Explorer Ransomware.

Related Posts

Loading...