Gqlmcwnhh Ransomware is a New Snatch Variant Targeting Files To Encrypt

Gqlmcwnhh is a newly discovered ransomware variant that belongs to the broader family of clones based on Snatch ransomware code.

The new variant was discovered in late 2022. Gqlmcwnhh will encrypt almost every file on a victim system and will change file names, appending the ".gqlmcwnhh" extension to encrypted files. This means the encryption process will leave a file originally called "photo.jpg" as "photo.jpg.gqlmcwnhh".

Once encryption completes and files are no longer readable, the ransomware will drop its ransom demands inside a plain text file called "HOW TO RESTORE YOUR FILES.TXT". The ransom note provides two contact email addresses and promises the decryption of 3 small files as proof that a decryptor exists.

The Gqlmcwnhh ransom note in full reads as follows:

Hello!

All your files are encrypted, write to me if you want to return your files - I can do it very quickly!

Contact me by email:

Toni.morrison13 at tutanota dot com.com or Frank.Sinatra1010 at protonmail dot com

The subject line must contain an encryption extension or the name of your company!

Do not rename encrypted files, you may lose them forever.

You may be a victim of fraud. Free decryption as a guarantee.

Send us up to 3 files for free decryption.

The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.)

!!! Do not turn off or restart the NAS equipment. This will lead to data loss !!!

To contact us, we recommend that you create an email address at protonmail.com or tutanota.com

Because gmail and other public email programs can block our messages!

===========================================================

Customer service TOX ID: [two alphanumeric strings]

Only emergency! Use if support is not responding