Bkqfmsahpt Ransomware Expands Family of Snatch Clones

A new ransomware called Bkqfmsahpt was spotted in the wild. The new variant belongs to the Snatch family of ransomware clones.

Bkqfmsahpt ransomware will encrypt almost every file on the victim's system and then deposit its ransom demands inside a plain text file. Encrypted files go through a simple name change - the ransomware appends the ".Bkqfmsahpt" extension to encrypted files.

Affected file types include media files, documents, archive files and databases.

Once the encryption process completes, the ransomware drops its ransom note in a file named "HOW TO RESTORE YOUR FILES.TXT". The ransom note reads as follows:


All your files are encrypted!

Email me if you want to get your files back - I will do it very quickly!
Contact me by email:

datasto100 at tutanota dot com
restore_help at swisscows dot email

The subject line must contain an encryption extension or the name of your company!
Do not rename encrypted files, you may lose them forever.
You may be a victim of fraud. Free decryption as a guarantee.
Send us up to 3 files for free decryption.
The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.)

To contact us, we recommend that you create an email address at protonmail.com or tutanota.com
Because gmail and other public email programs can block our messages!

If you do not receive a response from us for a long time, check your spam folder.


Customer service TOX ID: [two alphanumeric strings]
Only emergency! Use if support is not responding

November 28, 2022