Horse Ransomware

The Horse Ransomware is a file-locking Trojan that can keep media and other files from opening through encrypting their contents. As a member of the Phobos Ransomware family, it remains likely to utilize other attacks that are traditional for that group, such as deleting Windows backups. Storing secured backups can help recover files without a ransom, and standard anti-malware tools should delete the Horse Ransomware with little to no difficulty.

Trampling Over File Data with Poor Justification

With little more restraint than any wild mustang, Phobos Ransomware's family, and new variants like the Horse Ransomware, offer attacks that beeline towards likely-essential data and take it hostage. Although its name could provoke confusion with the well-known Scarab-Horsia Ransomware, malware researchers confirm the Horse Ransomware's membership in the Phobos Ransomware family – a small offshoot of the Crysis Ransomware and its Trojan-building kit.

The Horse Ransomware is like most of its brethren in its essentials. It targets Windows environments and can conduct several Shell command attacks that assist with its extortion plan, such as:

• Deleting Shadow Copies (the data for Windows Restore Points).
• Disabling the Windows Firewall.
• Adding victim-specific IDs, an ICQ contact address, and a 'horse' extension to files' names.

However, none of the above is as critical as the encryption, which performs the role of blocking documents and other digital media. Typically, file-locking Trojans will stop files from opening in locations like Documents or the desktop. With the Horse Ransomware (and relatives like the Adage Ransomware, the Barak Ransomware, the Calum Ransomware, or the Dewar Ransomware), the threat can block files of the whitelisted formats throughout the PC, including those in the base C drive.

The Phobos Ransomware variant can give its ransom demands in two messages: an HTA pop-up and a Notepad text. Since this family uses a secure, if unoriginal, pair of encryption algorithms, there are sharp limitations on free decryption alternatives for any victims as a practical recovery possibility.

Taming a Galloping Beast of a Program

Old attacks from the Phobos Ransomware collective aren't all of the same patterns, but some previous strategies may reoccur in new campaigns like the Horse Ransomware attacks. Network admins should especially be careful of their Remote Desktop feature's security and strive for impenetrable password requirements against brute-force attacks. Open ports, outdated server software, and opened e-mail attachments carelessly also are possible elements facilitating Trojans' installations.

Users at home also are at risk from less-targeted attacks. File-locker Trojans can infect random users through torrents and download links with illegal or believable themes (game cracks or Coronavirus trackers, for instance). Regardless of the environment, Windows users should always equip themselves with non-local backups on removable media or use cloud services to compensate for losing their data. Any payments to the Horse Ransomware's campaign justify the Ransomware-as-a-Service model and bolster criminal efforts recycling the same resources.

The Horse Ransomware uses an installer name typical for its family – an ironic reference to the 'Recuva' anti-deletion tool. No further signs of how it's naming itself during its installation exploits are available, although the right anti-malware product will see past its obfuscation and delete the Horse Ransomware on sight.

Bargaining on ICQ over Bitcoins is a reckless way of returning anyone's files to their original state. As long as users pay the Horse Ransomware's family, Ransomware-as-a-Service will live on, giving its targets something to be fearful over.