Cyber Security Center

Delete Horse ransomware


Horse ransomware encrypts files, adds a long file extension ending in [ICQ@cavallograndecapo].horse to all affected files, and drops info.hta and info.txt ransom notes. Horse malware belongs to the Phobos ransomware family.

 

Horse ransomware note

Horse ransomware is file-encrypting malware that locks files and demands money in exchnage for their decryption. It’s a pretty typical ransomware but is still dangerous. Once files are encrypted, their decryption may not be possible without the specific decryptor offered by the cyber criminals operating this ransomware.

However, paying the ransom is always tricky because file decryption is not guaranteed. Users should keep in mind that they are dealing with cyber criminals, and there are no guarantees that they will send a decryptor. Countless times in the past have users been left with encrypted files and no decryptor even after paying the ransom. And even if a decryptor is sent, it doesn’t always work as it should.

Unfortunately, currently the only sure way to recover files is via backup. If users have backed up their files prior to their computers getting infected, they can start file recovery as soon as the ransomware is no longer present. If users do not delete Horse ransomware before accessing their backup, those backed up files may become encrypted as well.

Are Horse ransomware files decryptable?

As soon as users open the malicious file and initiate the ransomware, it will begin the file encryption process. Ransomware have a set of file types they target and encrypt, and it usually includes documents, photos, videos, etc. Those are usually the most important files to users, thus users would be most willing to pay for them. Once the encryption process is complete, affected files will have an extension added to them. The extension is the victim’s unique ID followed by [ICQ@cavallograndecapo].horse. For example, image.jpg would become image.jpg.id[unique ID].[ICQ@cavallograndecapo].horse. Victims will not be able to open any files that have this extension as they’ve been encrypted.

Once the encryption process is complete, the ransomware will drop two ransom notes – info.hta and info.txt. The ransom note explains that victims need to install the ICQ messenger and contact them using their provided ICQ ID. The note also shows victims their unique ID which needs to be included when contacting the cyber criminals behind this ransomware. According to the note, victims can send up to 5 files to be decrypted for free, provided they do not contain valuable information.

Here is the full ransom note:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, install ICQ software on your PC or mobile phone here hxxps://icq.com/windows/
Write to our ICQ @cavallograndecapo hxxps://icq.im/cavallograndecapo
Write this ID in the title of your message –
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The note does not mention how much victims would need to pay, supposedly it depends on how quickly they are contacted. The price will likely range between $100 and $1000 in Bitcoin, based on how much other ransomware programs demand. However much these cyber criminals request, paying is not recommended. As we mentioned above, there is a high chance that a decryptor would not be sent, even after payment is made. There are also cases where users receive broken decryptors that do nothing. Furthermore, by paying users are making ransomware a profitable business, encouraging crooks to continue.

Users should keep in mind that while malware researchers do release free decryption tools for ransomware, one for Horse ransomware is not available. There are many bogus services claiming to be able to decrypt files but users should be very cautious. Furthermore, users should be careful to not download free decryptors from questionable sources. One legitimate source for free decryptors is NoMoreRansom. If a decryptor for Horse ransomware does become available, it would likely appear there.

Ransomware distribution methods

The majority of ransomware use more or less the same distribution methods, which include spam email, torrents, software cracks, system vulnerabilities, etc. Most of the time, if users have good browsing habits, they will be able to avoid the majority of malware.

One of the more popular ways to distribute malware is via email attachments. Cyber crooks buy databases full of leaked email addresses and then launch spam campaigns that distribute their malware/ransomware. Those emails are usually quite obvious. For one, despite senders claiming to be from legitimate companies/organizations, they’re sent from nonsense emails addresses. They’re also usually full of grammar and spelling mistakes. When it comes to unsolicited emails with files attached, we strongly recommend scanning them with anti-malware software or VirusTotal before opening them.

Torrents and software cracks are also often used to distribute ransomware. Torrent sites are full of malware disguised as torrents for popular entertainment content, such as movies, games, TV series, etc. Forums offering software cracks may also contain malware.

Finally, it should be mentioned that installing updates is essential to protect a computer from malware. Malware can use system vulnerabilities to get in but all known vulnerabilities are patched by updates. Automatic updating should be enabled whenever possible.

How to remove Horse ransomware

Because ransomware is a complicated malware, users should use anti-malware software for Horse ransomware removal. Manual removal may end up causing more damage, thus we cannot recommend users try it. Unfortunately, removing the ransomware does not mean files will become decrypted. The only way to decrypt those files is to use a special decryptor.

Once users delete Horse ransomware, they can access their backup to start recovering Horse ransomware encrypted files.

Horse ransomware is detected as:

  • A Variant Of Win32/Filecoder.Phobos.C by ESET
  • Ransom.Phobos by Malwarebytes
  • HEUR:Trojan.Win32.Generic by Kaspersky
  • Ransom:Win32/Phobos.PC!MTB by Microsoft
  • ML.Attribute.HighConfidence by Symantec