Download the McTools release and extract the McDecryptor folder.
| Indicator | Description | |-----------|-------------| | File extension | .mcdecryptor , .[random].mcdecryptor | | Ransom note filename | _DECRYPT_README.txt , MCDECRYPTOR_INFO.hta | | Desktop wallpaper | Changed to a ransom message (common in older variants) | | Shadow copies deleted | vssadmin delete shadows /all /quiet executed | | Processes | Unusual mshta.exe or wscript.exe running from temp folders | mcdecryptor
After running the decryption process, MDECryptor may produce a decrypted string: test . Verify the decrypted string by comparing it to the original password or data. Download the McTools release and extract the McDecryptor