Remove HORSELIKER Virus (.HORSELIKER Files) + Restore Data

How to Remove HORSELIKER Virus (.HORSELIKER Files)


The article presents detailed information about HORSELIKER virus as well as a step-by-step guide on how to remove malicious files from the infected system and how to potentially recover encrypted files.

HORSELIKER virus is a severe crypto infection. The activation of HORSELIKER on your computer leads to system and data corruption. Primarily, the threat is designed to locate certain types of personal files and encodes them by utilizing strong cipher like AES and RSA. To make encrypted files more recognizable, HORSELIKER virus appends the extension .HORSELIKER to their names. Finally, the ransomware drops a ransom message file on the infected system to extort a ransom fee for .HORSELIKER files decryption. You can find a copy of the content of this file downward.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionA malware that is designed to encrypt valuable files stored on infected computers and then extort a ransom from victims.
SymptomsImportant files are encrypted and renamed with the extension .HORSELIKER
A ransom message forces victims to contact hackers in order to receive instructions on how to pay a ransom fee probably in cryptocurrency.
Distribution MethodSpam Emails; Email Attachments; Corrupted Websites; Software Installers
Detection Tool See If Your System Has Been Affected by HORSELIKER


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss HORSELIKER.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

HORSELIKER Ransomware — October 2019 Update

In October 2019 a new release of the HORSELIKER ransomware has been identified in an ongoing campaign. According to the available security reports this is probably the work of another criminal collective as a new contact email email and ransomware note design is being used. The analysis of the captured samples shows that some of the infections happen through malware-infected files which are sent to the intended recipients. They can be both executables, application installers or macro-infected documents.

Some of the infected files that have been confirmed to carry the malware bear the following file name AntiRecuvaAndDB.ex_ which is a double extension file which is in fact an EXE. When the users click on it they will start the proper virus deployment sequence. This includes some of the following modules:

  • Command Execution — The criminals can embed commands that will be run using the command prompt or the PowerShell environment on the infected computer.
  • Security Applications Bypass — The malware will search the system for any installed security applications and services. If such are found they will be disabled. This includes firewalls, anti-virus software, virtual machine hosts and other applications which might interfere with the proper HORSELIKER ransomware installation.
  • Data Harvesting — Advanced forms of the virus may also be used to hijack sensitive information that may reveal additional information about the identity of the victims and/or their machine. This can be done in order to generate an unique ID for each host.

Some of the HORSELIKER ransomware can be used to deploy additional malware on the infected computer.

HORSELIKER Ransomware – More About the Infection

HORSELIKER virus is a data locker ransomware that has been detected in active attack campaigns. The attack campaigns that are spreading HORSELIKER ransomware are liely to be realized with the help of spam emails, email attachments, hacked web pages, and corrupted freeware installers.

The attack begins when the HORSELIKER virus is executed on your system. Threats of this kind are usually designed to perform lots of complex malicious activities that seriously disrupt system security and eventually lead to encryption of personal files.

For the encryption of target files HORSELIKER virus launches a built-in cipher module that scans selected folders for predefined types of files that are known to be used for the storage of valuable personal data. Every time the module detects a target file, it applies changes that transform its original code. Like other data locker ransomware (

STOP Hese, Dharma .pdf, etc.) HORSELIKER is likely to utilize sophisticated cipher algorithms (AES and RSA) to transform files’ code.

Unfortunately, the threat is likely to corrupt all of the following files:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

Following encryption, corrupted files cannot be opened. In addition, they have the extension .HORSELIKER appended to their names. In fact, the main goal of this ransomware is to blackmail you into paying a ransom to hackers. That’s why HORSELIKER drops a ransom message with instructions on how to complete the ransom payment process.

Here is a copy of HORSELIKER virus’ ransom message:

Want return your files?Write to our xmpp account – horsesecret@xmpp. jp
The easiesy way – register here
After download pidgin client
Press Add account, choose protocol xmpp and put username from where are you sign up
Domain –
Put your passowd and press add
When you log in press Buddies –> Add Buddy–>and in Buddys username put beautydonkey xmpp.
After you will see added account, click twice on it an write your mess
You can send us 1-3 test files. The total size of files must be less than 10Mb (non archive) we will decrypt them and send to you that we are real


You should NOT under any circumstances contact cybercriminals or pay any ransom sum to them. This action does not guarantee the recovery of your .HORSELIKER files.

How to Remove HORSELIKER Virus

The so-called HORSELIKER ransomware is a threat with a highly complex code that disrupts system security in order to encrypt personal files. Hence the infected system could be used in a secure manner again only after the complete removal of all malicious files and objects created by HORSELIKER ransomware. That’s why it is recommendable that all steps presented in the HORSELIKER virus removal guide below should be completed. Beware that the manual ransomware removal is suitable for more experienced computer users. If you don’t feel comfortable with the manual steps navigate to the automatic part of the guide.

How to Recover .HORSELIKER Files

There are several alternative methods that may be efficient for the recovery of .HORSELIKER files, but note that there is no guarantee they would work. You could find them listed under Step 5 from our HORSELIKER ransomware removal guide. Beware that you should make copies of all encrypted files and save them on a flash drive for example. This additional step will prevent the permanent loss of encrypted .HORSELIKER files.

Ransomware Removal Instructions

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus


  1. AvatarJohn Agar

    Stellar want me to buy a licence before they will recover the data. The licence is expensive. How do I know that the data will be recovered? Is this just another extension of the same trap?


    1. Milena DimitrovaMilena Dimitrova

      Hi John,

      This is a data recovery program not a decrypter. There is a huge possibility that the program won’t succeed in restoring the data. That is why it is mentioned as an alternative approach with no guarantee in our article.


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share