A new member of the Snatch ransomware family was found to corrupt data. Researchers warn of a threat called Mhcadd ransomware, which is designed to sneak into devices and encrypt the data saved on them.
Mhcadd is developed to follow standard ransomware patterns. Upon infiltrating a system, it launches a scan that detects the user-degenerated files. The ransomware will also execute commands that will alter the system Registry and establish its persistence.
Additionally, Mhcadd will attempt to prevent quick file recovery by deleting the Volume Shadow Copies.
Mhcadd targets files that could contain valuable information, such as databases, pictures, and archives. The threat will use a combination of advanced encryption algorithms to lock the detected files and prevent the user from accessing them.
As a final encryption step, Mhcadd will rename the successfully locked files by adding the ".mhcadd" extension to them. For example, an archive named "templates.rar" will "templates.rar.mhcadd."
Mhcadd won't corrupt any files that are essential for the regular operation of the OS. It will also whitelist a text file called "HOW TO RESTORE YOUR FILES.TXT" that contains a ransom-demanding message, explaining the situation to victims.
Upon completing the encryption process, Mhcadd will drop a ransom note that offers decryption software for sale.
Ransom Note Text:
All your files are encrypted and only I can decrypt them.
My mail is
email@example.com or firstname.lastname@example.org
Write me if you want to return your files - I can do it very quickly!
Do not rename the encrypted files, because of this you can lose them forever!!!!!
To prove that we are not scammers and really can decrypt your files,
you can send three files for test decryption !!! (except databases, Excel and backups)
PLEASE DO NOT CREATE A NEW LETTER! RESPOND TO THE
LETTER TO THIS LETTER.
This will allow us to see all the history of the census in
one place and respond quickly to you.
!!! Do not turn off or restart the NAS equipment. This will result in data loss!!!”
Instead of naming the price for decryption, Mhcadd's ransom note instructs the victims to get in touch with the threat operators via email. Victims are to address their messages to either email@example.com or firstname.lastname@example.org email addresses.
Additionally, victims are warned not to rename their files or turn off NAS equipment as such action will result in data loss.
Third-party decryption tools are not available for Mhcadd ransomware. As the threat is yet to be analyzed, flaws or vulnerabilities in its code could allow researchers to develop a decryptor soon.
In the meantime, victims are advised to refrain from contacting the threat operators as these criminals are not to be trusted. Practice shows that ransomware victims are often double-crossed by the attackers. There are numerous cases of victims who were ignored once the ransom was transferred.
Victims should also bear in mind that ransomware operators are not software engineers. These criminals lack the technical skills to offer support when an issue pops up.
Victims can use backups stored on external and cloud storage to recover their data. Of course, the ransomware must be removed before any such operation is attempted. Otherwise, the threat will spread its corruption on the backup device and encrypt the data saved on it.
Ransomware threats are usually spread through standard tricks and techniques. From malicious emails and instant messages to advanced Trojans and corrupted installers, there are myriads of cyber traps.
Experts explain that the most common cause of ransomware infections is user fault and naivete. Criminals prey on reckless users who don't take the time to do their due diligence.
Good cyber hygiene, however, can prevent unwanted malware invasions. Users are strongly recommended to apply the best security practices diligently!