Mhcadd Ransomware
The Mhcadd Ransomware is a new variant spawned from the Snatch Ransomware family. It doesn't display any meaningful deviations compared to the other variants of the Snatch Ransomware family, apart from the hackers' email addresses and the unique extension for the encrypted files.
When the Mhcadd Ransomware infects a computer, it will proceed to encrypt the user's private and business files in the background sneakily. The threat will append '.Mhcadd' as an extension to the original name of every affected file. It delivers a ransom note with instructions in the form of text files named 'HOW TO RESTORE YOUR FILES.TXT.' These files will be dropped in all folders that contain encrypted files.
According to the instructions, victims of the Mhcadd Ransomware are told to initiate communication by sending a message to either one of the two provided email addresses - 'davidlewis185232@rape.lol' and 'iamcanhelpyou@tuta.io.' The criminals allow for three files to be attached that will be decrypted for free. These files shouldn't be Excel, backups or databases. The ransom note doesn't mention any specific amount for the ransom or if the money will have to be paid in one of the popular cryptocurrencies.
The full text of the instructions found in the 'HOW TO RESTORE YOUR FILES.TXT' files is:
'!!!Hello!!!
All your files are encrypted and only I can decrypt them.
My mail is
davidlewis185232@rape.lol or iamcanhelpyou@tuta.io
Write me if you want to return your files - I can do it very quickly!
Attention!
Do not rename the encrypted files, because of this you can lose them forever!!!!!
To prove that we are not scammers and really can decrypt your files,
you can send three files for test decryption !!! (except databases, Excel and backups)
PLEASE DO NOT CREATE A NEW LETTER! RESPOND TO THE
LETTER TO THIS LETTER.
This will allow us to see all the history of the census in
one place and respond quickly to you.
!!! Do not turn off or restart the NAS equipment. This will result in data loss!!!'
