.Horon file virus is a ransomware (malicious software). It invisibly penetrates the machine and encrypts personal files that stored on computer disks. While encrypting, it renames all encrypted photos, documents and music so that they have the .horon file extension.
Files encrypted by .horon ransomware virus
Once installed, the Horon virus begins searching for attached disks and even networked disks containing web application-related files, music, images, documents, archives, videos and database. It can encrypt almost all types of files, including common as:
.xdl, .pef, .sis, .layout, .der, .dcr, .orf, .zif, .pptx, .x3f, .wpe, .xlgc, .wmo, .bik, .sid, .wn, .hvpl, .xld, .wsh, .pem, .0, .wbm, .xbplate, .hplg, .cer, .wp5, .wp4, .odb, .bkf, .wpd, .mddata, .t12, .zdb, .xyw, .xls, .rwl, .wbk, .webdoc, .tor, .zi, .fpk, .ysp, .arw, .rofl, .sql, .ods, .mlx, .yal, .itm, .flv, .mdbackup, .lrf, .mef, .mrwref, .wp, .dng, .xlsx, .kdc, .litemod, .xwp, .wbmp, .dbf, .wmd, .psk, .tax, .y, .p12, .wpb, .eps, .xll, .hkx, .p7c, .blob, .vpp_pc, .wav, .sb, .desc, .mpqge, .xlk, .mdf, .upk, .rw2, .xmind, .wpa, .wsc, .wotreplay, .odp, .ptx, .cdr, .ybk, .sidd, .m4a, .7z, .xmmap, .xy3, .kf, .ztmp, .syncdb, .wpt, .das, .crw, .ai, .slm, .bc7, .xxx, .icxs, .dxg, .jpe, .pfx, .ncf, .srw, .odt, .xbdoc, .sidn, .svg, .bkp, .fos, .rim, .xml, .xf, .bar, .ws, .3fr, .wbc, .mp4, .3ds, .itl, .doc, .py, .vpk, wallet, .vfs0, .nrw, .ltx, .forge, .sr2, .wma, .js, .pak, .rtf, .lvl, .sav, .qdf, .re4, .crt, .hkdb, .p7b, .wdb, .3dm, .wpw, .wot, .ppt, .x, .dazip, .mov, .cr2, .m2, .zip, .itdb, .wp6, .xyp, .x3d, .pdd, .yml, .wmv, .wma, .wmf, .vcf, .xlsm, .z3d, .gho, .xar, .m3u, .apk, .jpg, .wgz, .qic, .xls, .indd, .bsa, .wdp, .map, .bc6, .sie, .asset, .iwd, .ntl, .vdf, .cas, .db0, .xlsm, .gdb, .wbz, .sum, .ff, .mdb, .wps, .wire, .kdb, .pdf, .wpd, .w3x, .rb, .wps, .dwg, .pptm, .zabw, .wsd, .zip, .wm, .wri, .wb2, .zw, .odc, .esm, .xlsx, .png, .mcmeta, .zdc, .vtf, .srf, .d3dbsp, .wpl, .dba, .erf, .psd, .wbd, .t13, .wp7, .cfr, .pkpass, .webp, .x3f, .raw, .arch00, .snx, .menu, .xx, .xpm, .wmv, .avi, .1st, .ibank, .rgss3a, .txt, .bay, .lbf, .epk, .docm
When encrypting a file it will add the .horon extension to each encrypted file name to identify that the file has been encrypted. For example, a file named sample.doc would be encrypted and renamed to sample.doc.horon.
When the encryption process is finished, the malicious software leaves a ransom note called ‘_readme.txt’ with instructions on how to purchase a private key to decrypt all documents, photos and music. An example of the ransom demanding message is:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-BTtULebL7F Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | Horon, .Horon file virus |
| Type | File locker, Crypto malware, Filecoder, Crypto virus, Ransomware |
| Encrypted files extension | .horon |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, gorentos@firemail.cc, @datarestore (telegram) |
| Ransom amount | $980, $490 in Bitcoins |
| Symptoms | Your documents, photos and music fail to open. Windows Explorer displays a blank icon for the file type. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Ransom demanding message on your desktop. |
| Distribution ways | Spam mails that contain malicious links. Drive-by downloads from a compromised webpage. Social media posts (they can be used to entice users to download malware with a built-in ransomware downloader or click a malicious link). Torrent web pages. |
| Removal | To remove Horon ransomware use the removal guide |
| Decryption | To decrypt Horon ransomware use the steps |
We suggest you to remove .Horon file virus as quickly as possible, until the presence of the crypto virus has not led to even worse consequences. You need to follow the guide below that will allow you to completely remove Horon ransomware from your machine as well as recover encrypted photos, documents and music, using only few free tools.
Quick links
- How to remove Horon crypto virus
- How to decrypt .horon files
- Use STOPDecrypter to decrypt .horon files
- How to restore .horon files
- How to protect your PC system from Horon crypto virus?
- Finish words
How to remove Horon crypto virus
Is your Windows PC infected by ransomware virus? Then don’t worry, in the instructions listed below, we are sharing best malware removal tools which can be used to delete .Horon file virus and other malware from your personal computer for free.
Remove Horon ransomware virus with Zemana Free
Zemana Free is a tool that can remove .Horon ransomware virus, other malicious software, adware, trojans, worms from your system easily and for free. Zemana Free is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of computer resources.
Download Zemana Free on your Microsoft Windows Desktop from the link below.
159555 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is done, close all windows on your system. Further, open the setup file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as shown in the following example, click the “Yes” button.
It will open the “Setup wizard” that will assist you install Zemana Anti Malware (ZAM) on the PC. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, Zemana Anti Malware (ZAM) will automatically start and you may see its main window as displayed in the following example.
Next, press the “Scan” button for checking your computer for the Horon crypto malware, other kinds of potential threats such as malicious software and trojans. While the Zemana Anti Malware (ZAM) tool is checking, you may see number of objects it has identified as being infected by malicious software.
After Zemana has completed scanning your machine, you can check all items detected on your PC. When you’re ready, click “Next” button.
The Zemana Anti Malware (ZAM) will delete Horon crypto virus, other kinds of potential threats such as malicious software and trojans and add threats to the Quarantine. Once the cleaning process is finished, you can be prompted to restart your PC.
Use MalwareBytes Anti-Malware (MBAM) to remove .Horon file virus
You can remove .Horon file virus automatically with a help of MalwareBytes. We suggest this free malicious software removal tool because it can easily get rid of ransomware, adware, malware and other unwanted programs with all their components such as files, folders and registry entries.
MalwareBytes Anti Malware can be downloaded from the following link. Save it on your Desktop.
317686 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is done, run it and follow the prompts. Once installed, the MalwareBytes AntiMalware (MBAM) will try to update itself and when this process is done, click the “Scan Now” button for checking your system for the .Horon file virus and other security threats. This task can take some time, so please be patient. Make sure all threats have ‘checkmark’ and press “Quarantine Selected” button.
The MalwareBytes is a free application that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malware removal utility, we advise you to read and follow the step-by-step guidance or the video guide below.
Remove .Horon file virus with KVRT
The KVRT tool is free and easy to use. It can scan and remove crypto virus such as Horon, malicious software, potentially unwanted apps, trojans, worms and spyware . KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the computer.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it to your Desktop so that you can access the file easily.
123950 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the KVRT screen as displayed below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to search for .Horon file virus and other malicious software. This procedure can take quite a while, so please be patient. While the KVRT utility is scanning, you can see number of objects it has identified as being affected by malware.
After KVRT has finished scanning, Kaspersky virus removal tool will show you the results similar to the one below.
Next, you need to click on Continue to start a cleaning procedure.
How to decrypt .horon files
The Horon ransomware virus uses a strong encryption algorithm with long key. What does it mean to decrypt .Horon files is impossible without the private key. Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the Horon ransomware virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.
Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt .horon personal files quickly. There is no guarantee that the authors of Horon ransomware will live up to the word and give back your photos, documents and music.
Files encrypted by .horon ransomware virus
With some variants of Horon file virus, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .horon files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.horon).
Please check the twitter post for more info.
How to restore .horon files
In some cases, you can recover files encrypted by Horon ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Recover .horon files with ShadowExplorer
In some cases, you have a chance to restore your files that were encrypted by the Horon ransomware. This is possible due to the use of the utility named ShadowExplorer. It is a free program that designed to obtain ‘shadow copies’ of files.
Please go to the link below to download the latest version of ShadowExplorer for Windows. Save it to your Desktop so that you can access the file easily.
419247 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder such as the one below.
Double click ShadowExplorerPortable to launch it. You will see the a window like below.
In top left corner, select a Drive where encrypted documents, photos and music are stored and a latest restore point as displayed in the following example (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as displayed in the following example.
Run PhotoRec to recover .horon files
Before a file is encrypted, the Horon crypto malware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file restore programs like PhotoRec.
Download PhotoRec on your Windows Desktop by clicking on the link below.
When the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.
Double click on qphotorec_win to run PhotoRec for Windows. It will show a screen as displayed in the following example.
Select a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as shown below.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where recovered documents, photos and music should be written, then press Search.
Count of restored files is updated in real time. All recovered files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, press on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed in the following example.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC system from Horon crypto virus?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your system from Horon ransomware virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the following page to download the latest version of HitmanPro Alert for Windows. Save it on your Microsoft Windows desktop.
When downloading is finished, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the utility is opened, you’ll be shown a window where you can choose a level of protection, as shown in the following example.
Now click the Install button to activate the protection.
Finish words
Now your PC should be clean of the Horon ransomware. Delete Kaspersky virus removal tool and MalwareBytes Free. We suggest that you keep Zemana Anti Malware (ZAM) (to periodically scan your machine for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to get rid of Horon crypto virus from your computer, then ask for help here.
I tried to decrypted .horon file with STOPDecrypter but not success. Any solution?