Explorer Ransomware
Posted: July 19, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 51 |
| First Seen: | July 19, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Explorer Ransomware is part of the Hidden Tear family of Trojans that encrypt your media, such as pictures, audio, or documents, to stop you from opening it. Its attacks also include multiple methods of delivering messages asking for money to decrypt the files back to their non-encoded versions. Use either backups or free decryption tools for recovery, as needed, and anti-malware products for removing the Explorer Ransomware from an infected PC.
The Advance Warning of a Trojan's Typo
It's an unusual week that doesn't see multiple releases of Hidden Tear from different groups of threat actors, and July is, so far, not disputing that historical pattern. One new version of the HT family is fully functional but, oddly, also includes an uncorrected misspelling in its file data that contrast with its payload. This minor formatting issue could help possible victims avoid an infection by identifying the inappropriate file before it's too late to save their media.
Samples of the Explorer Ransomware are in circulation with '.explorer.exe' as the current name. This choice of filenames could be a botched attempt to disguise the Explorer Ransomware as being a Windows component, but other aspects of the payload imply that its threat actors also are using it as the campaign's brand identity. The Explorer Ransomware's initial attacks use the AES-based encrypting methods to lock the media of any Windows PC it runs on, which targets content like PDF documents and the output of major Microsoft programs like Office.
The Explorer Ransomware places '.explorer' extensions on every name for files locked by the above function. Regarding other visual symptoms, malware analysts also may verify that the Explorer Ransomware replaces the desktop wallpaper and also creates a separate text note, both of which carry the same instructions on paying ransoms for the decryptor. Interestingly, the Explorer Ransomware's phrasing in the message implies that the victim is getting a discount for paying quickly, rather than being penalized for paying too late, which is a simple but possibly effective social engineering tactic.
Stopping an Exploration of File-Blocking for Pay
While the Explorer Ransomware's campaign may be self-sabotaging, due to sheer carelessness, victims of its attacks will remain in possession of damaged files that can't open. The frequency of updates to file-encrypting Trojans like Hidden Tear makes it particularly valuable to protect any media of value by backing it up. Local backups may be at risk, especially with the Explorer Ransomware and other versions of its family, which can delete Windows Shadow Copies.
Although the Explorer Ransomware does provide symptoms of an infection that any user may recognize, these issues always appear after the encryption function has its intended impact. Disabling browser content often subjected to exploitation, such as JavaScript, and analyzing suspicious downloads and links (particularly ones received by e-mail) can eliminate many of the strategies the con artists use for installing Trojans. Malware experts recommend using both free decryption software specific to Hidden Tear and proper anti-malware products for protecting your files and deleting the Explorer Ransomware.
If something seems wrong with a file on your computer, your intuition may not be a false alarm necessarily. File-encrypting Trojans and other, 'black hat' programs often give themselves away with intentional or accidental typos, as shown so plainly with the Explorer Ransomware.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.