Esmeralda Ransomware

Esmeralda Ransomware is a new dangerous threat that can appear silently on your system and encrypt your files without the possibility of recovery. Unless, of course, you are ready to pay the ransom fee to get your unlock password and the decryption software. This is a serious malware infection that claims to have found “a critical problem” in your system that requires your immediate attention. For your safety, all your files have been encrypted – well, more or less – in order to prevent cyber criminals to be able to make your files public on the web. This is of course true; at least the part that your files have been encrypted, but obviously not the reason behind it, which is more likely extorting money from you. We must warn you that there is no guarantee that even if you transfer the fee you will get anything in exchange. Another bad piece of news is that we have not found any free tools on the web yet that could recover your files from this hit. Therefore, the only real solution for you would be to have a backup copy saved on a portable drive. Since this ransomware can haunt you with every restart of your machine, we suggest that you remove Esmeralda Ransomware from your system right away.

There could be two possible ways for you to end up with this beast on your computer. The most likely way is via Remote Desktop Protocol. Criminals might get hold of or use brute force attack to find out your password and gain access to your computer or a whole LAN for that matter. Then, this infection can be dropped and set up for attack without further ado. You have two choices to avoid such an attack. First, you choose a serious and hard-to-crack password. Second, you protect your computer with an up-to-date malware remover.

Another possible way for this ransomware to infiltrate your system is that you get a spam mail. This mail has an attachment that can look like an image, video, or text file. Of course, this file is simply disguised and, in truth, it is a malicious executable file. If you can be tricked to open this mail, it is quite likely that you will not stop at that and would like to see the attachment, too, since this file is supposed to hold some important information for you. For example, this attachment could pose as an unsettled invoice, a parking fine not paid, and issues with a bank transfer. Obviously, the subject matter is chosen carefully by these cyber criminals to be able to cloud your judgment so that you would want to download and see the file. Unfortunately, the moment you click on this file to view it, you activate this attack. Due to the nature of this ransomware infection, even if you manage to delete Esmeralda Ransomware, this will not restore your files. Keep that in mind before you make a decision.

We have found that this ransomware is actually a new variant of Apocalypse Ransomware. This malware infection uses the widely used AES algorithm to take your files hostage. This ransomware targets and encrypts every file except those located in the Windows directory and the following extensions: .dat, .bat, .bin, .encrypted, .ini, .tmp, .lnk, .com, .msi, .sys, .dll, and .exe. This attack could leave your computer utterly devastated since there is a good chance that you will never be able to access your files again. All the affected files get a new ".encrypted" extension. This infection also creates a text file for every encrypted file with the name “[filename.jpg].How_To_Decrypt.txt”. This ".txt" file contains the very same message that comes up right after the malicious operations of this beast are over.

A gray window pops up on your desktop locking your screen with the ransom note when the encryption is over. This window however can be closed by pressing the "Alt+F4" key combination. Your Task Manager and your Explorer also get blocked so that you cannot remove Esmeralda Ransomware from your system easily. This malware infection also makes sure that this ransom note appears every time you reboot your system. This warning message claims that your Windows operating system has encountered a critical problem and that your “system access is locked and all the data have been encrypted to avoid the information be published or misused.” This is a rather lame excuse, of course, although we do not claim that it could not frighten some inexperienced users.

If you want to restore your data, you have to send an e-mail to esmeraldaencryption@mail.ru, which is obviously a well-known Russian mail server, and in a reply message you will supposedly receive more details about how you can pay for the unlock password and the Esmeralda Decryption Software. We do not have information yet with regard to the amount of the ransom fee but we can tell you that the usually price is from 0.1 Bitcoin up to 2 Bitcoins, which is from around 74 to 1,480 US dollars. It is always risky to contact cyber criminals, let alone transferring money to them. If you do not want to lose your money on top of your files, we recommend that you delete Esmeralda Ransomware right away.

If you are the lucky one who has a backup copy, before you rush to transfer your files back to your hard disk, we suggest that you remove Esmeralda Ransomware. In order to put an end to this ransomware invasion, you need to restart your computer in Safe Mode first. Only then you can remove the related files and registry entries to make sure that no leftovers remain on board. Please use our instructions below as a reference. If you do not want to get your hands “dirty,” you can also go for an automated method, such as SpyHunter, which you can download if you restart your computer in Safe Mode with Networking. With this up-to-date anti-malware program you can protect your system from all known malware infections.

Restart your PC in Safe Mode

Windows XP/Windows Vista/Windows 7

1. Reboot your system and press the F8 key a few times to bring up the boot menu.
2. Using your arrow keys, select Safe Mode, and hit the Enter key.

Windows 8/Windows 8.1/Windows 10

1. Change to the Metro UI screen by pressing the Windows key.
2. Click on the Power icon.
3. Tap and hold the Shift key and click Restart.
4. Choose Advanced options from the Troubleshooting menu.
5. Select Startup Settings and click Restart.
6. Press the F4 key to restart in Safe Mode.

How to remove Esmeralda Ransomware from Windows

1. Press Win+E.
2. If you were infected via spam, locate and delete the downloaded attachment.
3. Delete all the ransom note text files as well as:
   %PROGRAMFILES%\Windows NT\explorer.exe
   %PROGRAMFILES(x86)%\Windows NT\explorer.exe
4. Press Win+R and type regedit. Click OK.
5. Delete these registry keys:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer (value data: “C:\Program Files (x86)\Windows NT\explorer.exe”)
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer (value data: “C:\Program Files\Windows NT\explorer.exe”)
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText
6. Exit the editor.
7. Empty your Recycle Bin.
8. Restart your computer in Normal Mode.