What is HORSELIKER Ransomware
HORSELIKER ransomware is the work of attackers who created a whole family of cryptoviruses called PHOBOS. User files, after the penetration of this cryptovirus, are encrypted with a complex algorithm, after which they become unsuitable for further use. In addition to encryption, HORSELIKER ransomware changes the file extension to .HORSELIKER. Technically, the extension is composite and looks like this: .id[user-id].сleverhorse@ctemplar.com].HORSELIKER. Conventional methods do not help to remove HORSELIKER ransomware and decrypt HORSELIKER files. Also, attackers create a file info.hta that is a message from them. Here’s what it looks like:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail cleverhorse@ctemplar.com
Write this ID in the title of your message 1E857D00-2374
If there is no response from our mail, you can install the Jabber client and write to us in support of cleverhorse@xmpp.jp
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1-3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Jabber client installation instructions:
Download the jabber (Pidgin) client from hxxps://pidgin.im/download/windows/
After installation, the Pidgin client will prompt you to create a new account.
Click “Add”
In the “Protocol” field, select XMPP
In “Username” – come up with any name
In the field “domain” – enter any jabber-server, there are a lot of them, for example – exploit.im
Create a password
At the bottom, put a tick “Create account”
Click add
If you selected “domain” – exploit.im, then a new window should appear in which you will need to re-enter your data:
User
password
You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)
If you don’t understand our Pidgin client installation instructions, you can find many installation tutorials on youtube – hxxps://www.youtube.com/results?search_query=pidgin+jabber+install
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Also, the info.txt text file is also a note:
Want return your files? Write to our mail cleverhorse@ctemplar.com
If you have a problem with xmpp you can write our xmpp account – cleverhorse@xmpp.jp
The easiest way – register here hxxps://www.xmpp.jp/signup
After download pidgin client https://pidgin.im/
Press Add account,choose protocol xmpp and put username from xmpp.jp where are you sign up
Domain – xmpp.jp
Put your password and press add
When you log in press Buddies –> Add Buddy–>and in Buddys username put cleverhorse@xmpp.jp
After you will see added account cleverhorse@xmpp.jp,click twice on it and write your message.You can send us 1-3 test files. The total size of files must be less than 10Mb (non archived),
we will decrypt them and send to you that we are real
The exact amount of the buyback is not indicated, however, according to reports, the buyback price can reach several hundred dollars, and sometimes several thousand. Fraudsters provided contact addresses for contacting them. And of course, the note ends with a message that if the user does not do as he is told, then the files will be lost forever. Be that as it may, we do not recommend you pay. Check out our guides and instructions to remove HORSELIKER ransomware and decrypt .HORSELIKER files.
How to remove HORSELIKER Ransomware
First of all, don’t panic. Follow these easy steps below.
1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will HORSELIKER Ransomware system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the HORSELIKER Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.
Recommended Solution:
Try SpyHunter
SpyHunter is a powerful tool that is able to keep your Windows clean. It would automatically search out and delete all elements related to malware. It is not only the easiest way to eliminate malware but also the safest and most assuring one. The full version of SpyHunter costs $42 (you get 6 months of subscription). By clicking the button, you agree to EULA and Privacy Policy. Downloading will start automatically.
You may find more detailed information about antivirus products in our article – Top 5 Antivirus Software for Windows
Restore your files using shadow copies
- Download and run Stellar Data Recovery.
- Select type of files you want to restore and click Next.
- Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
- Once the scanning process is done, click Recover to restore your files.
Step 2: Remove following files and folders of HORSELIKER Ransomware:
Related connections or other entries:
No information
Related files:
No information
How to decrypt files infected by HORSELIKER Ransomware?
You can try to use manual methods to restore and decrypt your files.
Decrypt files manually
Restore the system using System Restore
Although the latest versions of HORSELIKER Ransomware remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.
- Initiate the search for ‘system restore‘
- Click on the result
- Choose the date before the infection appearance
- Follow the on-screen instructions
Roll the files back to the previous version
Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged. This feature is available in Windows 7 and later versions.
- Right-click the file and choose Properties
- Open the Previous Version tab
- Select the latest version and click Copy
- Click Restore
How to prevent your system from Ransomware?
Make sure your Remote Desktop Protocol (RDP) connection is closed when you don’t use it. Also, we recommend using a strong password for this service. The most efficient way to avoid data lose is of course to make a backup of all important data from your computer.