.MAFIA Files Virus – How to Remove + Recover Data
THREAT REMOVAL

.MAFIA Files Virus – How to Remove + Recover Data

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by MAFIA and other threats.
Threats such as MAFIA may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article has been created with the main purpose of helping explain what is the .MAFIA file ransomware and how to remove it from you computer plus how you can try and recover encrypted files by it.

A relatively new ransomware infection, using the .MAFIA file extension which it appends to the encrypted files has been reported by security researchers to infect computers, primarily in Korea. The ransomware virus is using a Tor proxy to communicate with it’s C2 server and is a unique ransomware variant. The virus’s primary goal is to encrypt the files of victims and then add the .MAFIA file extension to them while leaving behind a ransom note file with instructions on how to pay a hefty ransom in order to recover the encrypted files.

Threat Summary

NameMAFIA
TypeRansomware, Cryptovirus
Short DescriptionInfects computers and then holds them hostage until a ransom has been paid.
SymptomsFiles have the .MAFIA file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by MAFIA

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MAFIA.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does .MAFIA Ransomware Infect PCs

The primary methods of infection which are conducted by the .MAFIA file ransomware are believed to be via e-mail that may carry the infection file of .MAFIA ransomware. The ransomware virus may be encountered in the form of an e-mail attachment, which aims to pose as a legitimate document, such as:

  • An invoice.
  • An order receipt.
  • Banking statement.
  • Some kind of report.

Either way, the victim is usually asked In the e-mail to check the document and upon opening it, the infection may commence via different types of obfuscated activities, designed to evade Microsoft Windows’s defenses.

Furthermore in addition to this, the ransomware may also be uploaded and pretend to be different types of useful programs, such as:

  • Setups of software.
  • Patches.
  • Cracks.
  • Online license activators.
  • Key generators.

MAFIA Ransomware – Analysis

The MAFIA ransomware is the type of malware which aims to first drop it’s payload files on the computers of users. The main malicious IOC of MAFIA ransomware has been detected to have the following properties:

→ MD5: da23c8a7be5d83ae3e6b7b3291fdb880
SHA1: 419a00476e229f4b2fc85ffd54ed1e32b03c069d
SHA256: d6dee35981698416804548185f09af9c27987a0423e35bffd5b543c50fb9b5e3

The malicious files of MAFIA ransomware may also be dropped in the following Windows Directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

Once the malicious files are dropped, MAFIA ransomware may stop the service AppCheck by running the following command in Windows Command Prompt as an administrator on the compromised machine:

→ sc stop AppCheck

In addition to this, the ransomware may also stop database processes so that it can encrypt active databases on the infected computers.

Furthermore, the author is likely from Korea, because researcher BartBlaze has reported the ransomware virus to have a debug path left, mentioning the name “Jinwoo” in Korean, which could be an indicator of origin.

MAFIA Ransomware – Encryption Process

The encryption procedure of MAFIA ransomware is performed by the OpenSSL encryption mode, which uses the AES-256 algorithm, also known as Advanced Encryption Standard with a 256 bit strenght. This cipher is also used with a CBC encryption mode, which means Cipher Block Chaining. This mode basically means that the encrypted files are tied together in a block chain and tampering with one file can result in the permanent damage of all the files.

Before encrypting files, MAFIA ransomware may first scan for the files to be encrypted and then encode those files. This activity may result in the MAFIA ransomware virus to successfully encrypt the following file types if on your computer:

→ .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ait, .apj, .arw, .asf, .asm, .asp, .asx, .avi, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkp, .bkp, .blend, .bpw, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .csv, .dac, .db-journal, .db3.dbf, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gray, .grey, .gry, .hbk, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .java, .jpe, .jpeg, .jpg, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nx1, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .plc, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .psafe3, .psd, .pspimage, .pst, .ptx, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rtf, .rw2, .rw1, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, sqlite, .sqlite3, .sqlitedb, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .txt, .vob, .wallet, .wav, .wb2, .wmv, .wpd, .wps, .xll, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .ycbcra, .yuv, .zip, .alz, .jar, .png, .bmp, .a00, .gif, .egg

The encryption process is not a fast one because of the OpenSSL used by MAFIA ransomware, so if you have started to see your files to start being encrypted, you can halt this process by immediately shutting down your PC.

After the files are encrypted by this variant of MAFIA ransomware, the virus creates a ransom note, written entirely in Korean and named information.mafia:

The files are also appended the .MAFIA extension and they appear like the following:

Remove MAFIA Ransomware and Restore .MAFIA Files

If you want to remove this version of MAFIA ransomware virus, we recommend that you follow the removal instructions in the article underneath. They have been divided in manual as well as automatic removal instructions with their main goal of being as effective as possible. If you want to remove this ransomware from your computer, but you lack the malware removal experience to do it manually, security experts strongly advise to perform the removal process automatically with the aid of an advanced anti-malware software.

If your files have been encrypted by the MAFIA ransomware virus, we recommend that you follow the alternative file recovery methods in step “2. Restore files, encrypted by MAFIA ransomware underneath.” They have been created in order to help you to try and recover as many encrypted files as possible if the damage has already been done.

Note! Your computer system may be affected by MAFIA and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as MAFIA.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove MAFIA follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove MAFIA files and objects
2. Find files created by MAFIA on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by MAFIA

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...