HorseDeal ransomware exploits the newly discovered vulnerability in Microsoft Windows CryptoAPI's (Crypt32.dll) verification procedure fro Elliptic Curve Cryptography (ECC) certificates.This vulnerability is also know as Curveball or Chain of Fools Vulnerability. The sample uses a filename of a genuine AV vendor's process. Given explicit trust associated with signing certificates, the ransomware also exploited CVE-2020-0601 to spoof a signing certificate claiming to be issued by "Microsoft ECC TS Root Certificate Authority 2018". Once executed it check for user language if it is from Kazakh, Belarusian, Kyrgyz, Tatar, Azerbaijani, Armenian, Tajik. It remove itself for the machine, it not, it encrypt user data.
HorseDeal Ransomware Signatures
Family: Exploit:Win32/CVE-2020-0601.D
MD5: 716c502ba250f742fc935b3cb223ca4a
SHA256: d6ab910259c9bc68196aeec3e9ff4864bada22738c02ecf5ada7912ced292d28
HorseDeal Ransomware Download
