How To Stop & Remove HorrorDead Ransomware
In the ever-evolving landscape of cyber threats, a new ransomware program named HorrorDead has emerged, adding another layer of complexity to data protection challenges. Ransomware, by design, encrypts files on a victim’s system, holding them hostage until a ransom is paid for decryption. HorrorDead follows this notorious playbook but with some unique twists.
Table of Contents
How HorrorDead Operates
Upon infecting a system, HorrorDead encrypts files and appends a specific extension to their filenames: ".encrypted@HorrorDeadBot." For instance, a file named "1.jpg" becomes "1.jpg.encrypted@HorrorDeadBot," and "2.png" changes to "2.png.encrypted@HorrorDeadBot." Once the encryption process is complete, HorrorDead alters the desktop wallpaper to display a ransom message in Russian.
The Ransom Note
Unlike typical ransomware, HorrorDead’s ransom note claims it is a prank, despite actually encrypting files. The message warns that spreading this malware is a criminal offense under the Russian Federation's criminal code. It mentions a text file that should contain instructions for downloading a decryptor, but this file was not found during our tests. Although the note insists that the decryptor is safe, there is no reason to trust this information. We strongly advise against downloading any files suggested by cybercriminals.
The HorrorDead ransom note reads like the following in Russian:
ВНИМАНИЕ! ДАННЫЙ ПРОЕКТ, ЯВЛЯЕТСЯ ШУТОЧНЫМ. РАСПРОСТРАНЕНИЕ,
И ТИРАЖИРОВАНИЕ ДАННОГО ЕХЕ-ФАЙЛА,
НЕСЕТ ЗА СОБОЙ УГОЛОВНУКО ОТВЕТСТВЕННОСТЬ ЛО СТАТЬЕ 272 И 273 УК РФ.
Здравствуйте! Если вы видите данное сообщение, или у вас появился текстовый файл, зто значит, что ваша система,
заражена вирусом HorrorDead Ransomware, а все ваши файлы зашнфрованы AES-256, ключом шифрования.
Для того, чтобы расшифровать ваши файлы, следуйте инструкции:
1. Перейдите в Telegram
2. Напишите, в поиске @HorrorDeadBot, или выйдите из Telegram, перейдите по ссылке hxxps://t.me./HorrorDeadBot
3. Нажмите на кнопку Старт (по английски, будет написано Start).
4. Нажмите на кнопку 'Получит дешифроватор'
5. Скачайте дешифратор (он точно без вирусов), если не вернте, закиньте данный дешифратор, на VirusTotal.
6. Расшифруйте свои файлы.
7. Готово
ВНИМАНИЕ! ДАННЫЙ ПРОЕКТ, ЯВЛЯЕТСЯ ШУТОЧНЫМ. РАСПРОСТРАНЕНИЕ,
И ТИРАЖИРОВАНИЕ ДАННОГО ЕХЕ-ФАЙЛА
НЕСЕТ ЗА СОБОЙ УГОЛОВНУКО ОТВЕТСТВЕННОСТЬ ЛО СТАТЬЕ 272 И 273 УК РФ.
The Reality of Decryption
Our extensive experience with ransomware reveals a grim reality: decryption without the attackers' help is generally impossible. Even if ransom demands are met, data recovery is not guaranteed. Cybercriminals frequently fail to provide functional decryptors, even after payment. Paying the ransom supports illegal activities and does not ensure data recovery.
Removal and Recovery
To prevent further encryption by HorrorDead, it must be removed from the infected system. Unfortunately, removing the ransomware will not restore already compromised files. The best solution is to recover files from a backup made before the infection. Regularly backing up data to multiple, separate locations, such as remote servers and unplugged storage devices, is crucial for data safety.
Recent ransomware examples like Pomochit, OceanSpy, ZILLA, and LostInfo follow a similar pattern: encrypting files and demanding ransom for decryption. The main differences between these ransomware types lie in the cryptographic algorithms they use (symmetric or asymmetric) and the ransom amount demanded.
Infection Methods
Ransomware commonly spreads through phishing and social engineering tactics, often disguised as ordinary files or bundled with legitimate software. Infection vectors include malicious attachments or links in spam emails, deceptive downloads, backdoor/loader-type trojans, and fake software updates. Some malware can even self-propagate via local networks and removable storage devices.
Protection Measures
To protect against ransomware infections, vigilance is essential. Be cautious with incoming emails and messages, especially those with dubious attachments or links. Always download software from official and trustworthy sources and avoid using illegal activation tools or third-party updates. Keeping a reliable antivirus program updated and performing regular system scans can also help detect and remove threats like HorrorDead.
If your computer is infected with HorrorDead, run a scan with an updated anti-malware program to eliminate this ransomware and protect your system from further harm.
