This article has been created with the main purpose of helping explain what is the .MAFIA file ransomware and how to remove it from you computer plus how you can try and recover encrypted files by it.
A relatively new ransomware infection, using the .MAFIA file extension which it appends to the encrypted files has been reported by security researchers to infect computers, primarily in Korea. The ransomware virus is using a Tor proxy to communicate with it’s C2 server and is a unique ransomware variant. The virus’s primary goal is to encrypt the files of victims and then add the .MAFIA file extension to them while leaving behind a ransom note file with instructions on how to pay a hefty ransom in order to recover the encrypted files.
|Short Description||Infects computers and then holds them hostage until a ransom has been paid.|
|Symptoms||Files have the .MAFIA file extension.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by MAFIA |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss MAFIA.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does .MAFIA Ransomware Infect PCs
The primary methods of infection which are conducted by the .MAFIA file ransomware are believed to be via e-mail that may carry the infection file of .MAFIA ransomware. The ransomware virus may be encountered in the form of an e-mail attachment, which aims to pose as a legitimate document, such as:
- An invoice.
- An order receipt.
- Banking statement.
- Some kind of report.
Either way, the victim is usually asked In the e-mail to check the document and upon opening it, the infection may commence via different types of obfuscated activities, designed to evade Microsoft Windows’s defenses.
Furthermore in addition to this, the ransomware may also be uploaded and pretend to be different types of useful programs, such as:
- Setups of software.
- Online license activators.
- Key generators.
MAFIA Ransomware – Analysis
The MAFIA ransomware is the type of malware which aims to first drop it’s payload files on the computers of users. The main malicious IOC of MAFIA ransomware has been detected to have the following properties:
→ MD5: da23c8a7be5d83ae3e6b7b3291fdb880
The malicious files of MAFIA ransomware may also be dropped in the following Windows Directories:
Once the malicious files are dropped, MAFIA ransomware may stop the service AppCheck by running the following command in Windows Command Prompt as an administrator on the compromised machine:
→ sc stop AppCheck
In addition to this, the ransomware may also stop database processes so that it can encrypt active databases on the infected computers.
Furthermore, the author is likely from Korea, because researcher BartBlaze has reported the ransomware virus to have a debug path left, mentioning the name “Jinwoo” in Korean, which could be an indicator of origin.
MAFIA Ransomware – Encryption Process
The encryption procedure of MAFIA ransomware is performed by the OpenSSL encryption mode, which uses the AES-256 algorithm, also known as Advanced Encryption Standard with a 256 bit strenght. This cipher is also used with a CBC encryption mode, which means Cipher Block Chaining. This mode basically means that the encrypted files are tied together in a block chain and tampering with one file can result in the permanent damage of all the files.
Before encrypting files, MAFIA ransomware may first scan for the files to be encrypted and then encode those files. This activity may result in the MAFIA ransomware virus to successfully encrypt the following file types if on your computer:
→ .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ait, .apj, .arw, .asf, .asm, .asp, .asx, .avi, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkp, .bkp, .blend, .bpw, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .csv, .dac, .db-journal, .db3.dbf, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gray, .grey, .gry, .hbk, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .java, .jpe, .jpeg, .jpg, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nx1, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .plc, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .psafe3, .psd, .pspimage, .pst, .ptx, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rtf, .rw2, .rw1, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, sqlite, .sqlite3, .sqlitedb, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .txt, .vob, .wallet, .wav, .wb2, .wmv, .wpd, .wps, .xll, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .ycbcra, .yuv, .zip, .alz, .jar, .png, .bmp, .a00, .gif, .egg
The encryption process is not a fast one because of the OpenSSL used by MAFIA ransomware, so if you have started to see your files to start being encrypted, you can halt this process by immediately shutting down your PC.
After the files are encrypted by this variant of MAFIA ransomware, the virus creates a ransom note, written entirely in Korean and named information.mafia:
The files are also appended the .MAFIA extension and they appear like the following:
Remove MAFIA Ransomware and Restore .MAFIA Files
If you want to remove this version of MAFIA ransomware virus, we recommend that you follow the removal instructions in the article underneath. They have been divided in manual as well as automatic removal instructions with their main goal of being as effective as possible. If you want to remove this ransomware from your computer, but you lack the malware removal experience to do it manually, security experts strongly advise to perform the removal process automatically with the aid of an advanced anti-malware software.
If your files have been encrypted by the MAFIA ransomware virus, we recommend that you follow the alternative file recovery methods in step “2. Restore files, encrypted by MAFIA ransomware underneath.” They have been created in order to help you to try and recover as many encrypted files as possible if the damage has already been done.