Horse Ransomware

By GoldSparrow in Ransomware

Don’t let the name fool you; there is nothing majestic about Horse Ransomware. It is nothing like the elegant namesake it bears. Rather, this is one nasty computer virus that you don’t want to have to deal with.

What is Horse Ransomware?

Horse ransomware is a kind of file-locking trojan virus that prevents users from accessing documents, media, and other types of files by encrypting the contents. Horse Ransomware falls under the Phobos family of ransomware, making it likely that tie virus will use other attacks used by other Phobos viruses. The virus will likely delete Shadow Volume Copies of data on Windows to make data recovery more difficult. Keeping an external backup of data is the easiest way to recover files without having to pay a ransom. Maintaining robust security on your computer helps to prevent an infection in the first place.

What Does Horse Ransomware Do?

The Horse ransomware certainly has all the power of a wild animal. Horse targets essential data and holds it hostage for ransom. While some people might feel that Horse ransomware is the same as the similar-sounding Scarab-Horisa ransomware, security researchers have confirmed that Horse belongs to the Phobos family and is its own threat.

Horse ransomware is similar to other members of the Phobos family at the core. It is built for Windows operating systems and can perform several Shell commands as part of the extortion plan, including

  • Disabling Windows Firewall
  • Deleting Shadow Volume Copies of data
  • Adding specific ID tags for victims, the “horse” file extension, and ICQ contact address

As troublesome as those elements are, nothing compares to the encryption process. Horse encrypts files to prevent users from accessing their documents and digital media. File-locking viruses like this tend to target specific files and folders, such as the Documents, Pictures, or Desktop folders. Horse Ransomware has a list of particular file types it aims for, no matter where they are stored in the computer.

Horse ransomware delivers the ransom demand through an HTA pop-up and through a Notepad text file. The ransom note is shown below;

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, install ICQ software on your PC or mobile phone here hxxps://
Write to our ICQ @cavallograndecapo hxxps://
Write this ID in the title of your message –
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

What to do if Your Computer is Infected

As a member of the Phobos family, Horse ransomware likely has similar attack patterns. Network admins need to ensure that their Remote Desktop features are kept up to date and secure against attacks. Ensure that users have strong passwords to protect against brute force attacks, and be wary of outdated software, open ports, and malicious email attachments.

Users on the individual level are still at risk from these kinds of attacks. File-locking trojans can hit anyone at any time through illegal downloads, torrents, and freeware disguised as a legitimate program. The threat of malware like this is the main reason to maintain a robust data backup. That way, you can recover your files if something happens to them.

One of the worst things you could do is engage with the attackers over ICQ and pay the ransom. There is no guarantee that the attackers will deliver the decryption tools they promise. There is more evidence that they won’t than that they will. Giving in to their demands also encourages them to continue attacking others, ensuring that ransomware-as-a-service attacks continue for years to come. Don’t let yourself be a target and make other people targets in the process.

1 Comment

This virus changed to ICQ@VIRTUALHORSE
I paid him today and get my data

Related Posts


Most Viewed