Threat Database Ransomware Horsedeal Ransomware

Horsedeal Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 22
First Seen: January 11, 2012
Last Seen: July 5, 2022
OS(es) Affected: Windows

Malware analysts spot new ransomware threats on a daily basis. The barrier of entry, regarding data-locking Trojans, is rather low. This happens because even cybercriminals with little to no experience can create and distribute this threat. This can be mastered with the help of various ransomware building kits. One of the latest file-encrypting Trojans to emerge on the Web was named the Horsedeal Ransomware.

Propagation and Encryption

The techniques involved in the propagation of the Horsedeal Ransomware are yet to be uncovered. Some cybersecurity researchers speculate that the authors of the threat may be utilizing malvertising campaigns, bogus pirated copies of popular software tools and media, torrent trackers, mass spam email campaigns, etc. Upon infiltrating a targeted machine, the Horsedeal Ransomware will trigger a scan on all the files present on the victim's system. Next, the targeted data will undergo the encryption process of the Horsedeal Ransomware. The Horsedeal Ransomware is likely targeting a wide variety of common file types - .jpeg, .jpg, .gif, .png, .doc, .docx, .ppt, .pptx, .rar, .xls, .xlsx, .mov, .mp3, .mp4, etc. This means that the majority of the files present on the victim's computer will be locked with the help of an encryption algorithm. When the Horsedeal Ransomware locks a file, it alters its name by adding a '.horsedeal' extension at the end of its name. This means that a file named 'kitten-paw.jpeg initially will be renamed to 'kitten-paw.jpeg.horsedeal' and will no longer be executable.

The Ransom Note

The Horsedeal Ransomware drops a ransom note located in a file called '#Decryption#.txt.' In the ransom message, the attackers fail to mention a specific ransom fee. Instead, they insist on being contacted via email or ICQ. The authors of the Horsedeal Ransomware give out their contact details ‘' (email address) and 'bigbosshorse' (ICQ username). It is likely that users who contact the attackers will receive instructions on how to process the payment required.

We would advise you against contacting cybercriminals. Most victims of data-locking Trojans never receive the decryption tool promised to them, even if they pay the ransom fee demanded. You should consider investing in an anti-virus software suite that will remove the Horsedeal Ransomware from your machine and ensure your safety in the future.


Most Viewed