HorseDeal ransomware exploits the newly discovered vulnerability in Microsoft Windows CryptoAPI's (Crypt32.dll) verification procedure fro Elliptic Curve Cryptography (ECC) certificates.This vulnerability is also know as Curveball or Chain of Fools Vulnerability. The sample uses a filename of a genuine AV vendor's process. Given explicit trust associated with signing certificates, the ransomware also exploited CVE-2020-0601 to spoof a signing certificate claiming to be issued by "Microsoft ECC TS Root Certificate Authority 2018". Once executed it check for user language if it is from Kazakh, Belarusian, Kyrgyz, Tatar, Azerbaijani, Armenian, Tajik. It remove itself for the machine, it not, it encrypt user data.