Horseleader Ransomware
It’s every little girl’s dream to own a horse, but there are some horses you can do without. The Horseleader ransomware, for example, is something that you definitely don’t want to find on your computer. The virus falls under the GarrantyDecrypt Ransomware family and was discovered thanks to the efforts of Jirehlov.
The ransomware encrypts files and applies the ".horseleader" file extension to them. A file named "MyDocument.doc" would be changed to "MyDocument.doc.horseleader" for example. It also changes the desktop to a picture of horses and creates a ransom note – called #Decrypt#.txt that contains information on how users can restore their files. The ransom note is also left in every folder with an infected file.
The ransom note text reads:
All your files have been ENCRYPTED!!!
Write to our ICQ @Horseleader
Or contact us via jabber - horseleader@xmpp.jp
Jabber client installation instructions:
Download the jabber (Pidgin) client from hxxps://pidgin.im/download/windows/
After installation, the Pidgin client will prompt you to create a new account.
Click - Add
In the -Protocol field, select XMPP
In -Username - come up with any name
In the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im
Create a password
At the bottom, put a tick -Create account
Click add
If you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data:
User
password
You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)
If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - hxxps://www.youtube.com/results?search_query=pidgin+jabber+install
If you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
tell your unique ID
As you can see, the ransom note tells victims how they can contact the team behind the attack. They say to contact them through Jabber or ICQ. The criminals will supposedly provide more information about how a user can restore their files (by paying a ransom) to receive a decryption key. Victims are also told that they shouldn’t attempt to decrypt or rename the files themselves or their data will be forfeit.
Table of Contents
What Does Horseleader Do?
Ransomware such as this will encrypt the files on a computer using a powerful algorithm. The developers behind the virus are the only ones who are able to decrypt the files and they extort victims for money. Unfortunately, many people who do pay up are scammed anyway. They don’t get the decryption tool or key that they were promised after paying for it. That’s why security experts always advise that you never pay the ransom.
Given that there are no tools available to decrypt the information, the only way to guarantee files are safely restored is to use a backup. It’s worth mentioning that the files will still be encrypted even if the ransomware is removed. It’s always worth removing Horseleader though as this is the only way to prevent files from being encrypted again after being restored.
There are plenty of different ransomware viruses out there. The main differences between them are the size of the ransom and the kind of encryption they use. It may be possible to decrypt the files without any assistance from hackers in the event of a poorly made ransomware. Horseleader has been cleverly designed though and that isn’t possible here.
How Does Horseleader Infect Computers?
Horseleader infects computers by hiding inside other viruses (trojans), email attachments, dubious downloads, and fake software updates. Trojans are a kind of malicious program designed to infect computers and spread other, more dangerous, malware and ransomware. They are used to create chain infections but, like any other kind of virus, they have to be installed to actually do anything.
Spam campaigns involve sending out hundreds, if not thousands, of spam emails tailored to trick people into opening malicious attachments. Cybercriminals attach documents, PDFs, and other such files to emails and trick users into opening them and installing Horseleader on to their computer.
How to Protect Against Horseleader
Always watch out for suspicious and unsolicited emails. If you aren’t sure what the email is about then just delete it and move on. Double check where an email has come from to ensure that it is from a trusted source. It also helps to only download software and updates from trusted websites and from the original creators themselves.
Make sure that you have some kind of antivirus program installed on your computer. Regular scans will help to prevent infections and deal with any infections that do arise.
The best way to defend yourself and your information against Horseleader and other ransomware is to keep regular external backups of your data and information. That way, even if something does happen, you can fix it in an instant.
