Scarab-Horsuke Ransomware

What is Scarab-Horsuke Ransomware?

Scarab-Horsuke Ransomware is a malicious threat that can encipher various files created by the user. It can be recognized from .horsia@airmail.cc extension appended to the end of the encrypted files and a specific image it replaces the victim’s Desktop picture with. Further, in the article, we will tell you more about the malware and its effective manner, so if you came here got get to know this infection better, you should carefully read the rest of the text. Naturally, given we do not recommend putting up with any demands, you will also find removal instructions at the end of this page. They will explain how to get rid of Scarab-Horsuke Ransomware step by step. Of course, if you need more help with its deletion or wish to ask something else about the malicious program, you can leave us a comment at the end of the article too.

Where does Scarab-Horsuke Ransomware come from?

Our researchers at Anti-spyware-101.com confirm the malware comes from the Scarab Ransomware family. Another thing we managed to find out is Scarab-Horsuke Ransomware might sneak in after the user opens an infected email attachment. This is why users who receive a lot of Spam or other emails on a daily basis are advised to keep a legitimate antimalware tool with which they could quickly scan the files raising any suspicion. This could stop you from infecting the computer accidentally as malicious email attachments might be disguised as text documents, pictures, and other types of data most of us would not consider being harmful. Besides, there is a chance in some cases the malicious program might get in after exploiting the computer’s vulnerabilities. Therefore, to be safe, you should change weak passwords, download new versions of tools that could be already out of date, and so on.

How does Scarab-Horsuke Ransomware work?

At first, the malware should create a few files to settle in. For instance, to make the infected device load Scarab-Horsuke Ransomware’s ransom note with the operating system, the threat may create a randomly titled value name in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run directory. Our researchers say it does not drop any copies of its launcher meaning the malware runs right from the directory where the victim downloaded and opened it. Just as explained earlier, the threat could be spread via malicious email attachments, and if you opened some suspicious file received via email before the computer got infected, it is probably the malicious program’s launcher.

Soon after being launched, Scarab-Horsuke Ransomware should start enciphering user’s files. Afterward, such files should have an additional extension (e.g., document.docx.horsia@airmail.cc) and they cannot be opened. Right after this, the infection might replace user’s Desktop picture with an image located in %USERPROFILE%. It shows a cartoon of a horse and a cybercriminal that sits on the horse and holds a single Bitcoin. The new desktop image should also contain short instructions on what to do to decrypt files. The full instructions can be found on HOW TO RECOVER ENCRYPTED FILES.TXT. This document might be placed on %USERPROFILE% at first, but later on, it could be scattered among all directories containing enciphered data. Of course, the ransom note states the user can get a decryption tool only if he pays a ransom, which should be a particular amount of Bitcoins. It looks like to find out the price the user is supposed to write the cybercriminals an email. Needless to say, we would recommend against it. Whatever these people might promise you there are no reassurances they will hold on to their end of the deal. Thus, instead of risking your savings we would advise removing the malicious program.

How to eliminate Scarab-Horsuke Ransomware?

If you want to try to remove the malware manually, you should complete the steps located below this text. The given steps will explain how to find and erase Scarab-Horsuke Ransomware’s created files one by one. Like any other infection, the threat can be eliminated with the help of an antimalware tool as well, so if you would like to use automatic features instead, do not hesitate to install a legitimate security tool of your choice.

Get rid of Scarab-Horsuke Ransomware

1. Tap Windows key+E.
2. Check the given folders one by one:
   %TEMP%
   %USERPROFILE%\desktop
   %USERPROFILE%\downloads
3. Look for the malware’s launcher (file opened before the computer got infected), then right-click it and press Delete.
4. Then check this location %USERPROFILE%
5. Find suspicious recently created files: one of it should be a randomly titled image and the other one a text document (HOW TO RECOVER ENCRYPTED FILES.TXT); right-click it and press Delete.
6. Remove the rest of the malware’s ransom notes (HOW TO RECOVER ENCRYPTED FILES.TXT).
7. Press Windows key+R.
8. Insert Regedit and click Enter.
9. Look for these two directory HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   HKEY_CURRENT_USER\Software
10. Find a randomly named value name and a key related to the malicious application (e.g., AvaTKzdJbWDBF); right-click such data and select Delete.
11. Leave Registry Editor.
12. Empty Recycle bin.
13. Restart the device. Download Removal Tool100% FREE spyware scan and
    tested removal of Scarab-Horsuke Ransomware*