.MAFIA Files Virus – How to Remove + Recover Data

.MAFIA Files Virus – How to Remove + Recover Data

This article has been created with the main purpose of helping explain what is the .MAFIA file ransomware and how to remove it from you computer plus how you can try and recover encrypted files by it.

A relatively new ransomware infection, using the .MAFIA file extension which it appends to the encrypted files has been reported by security researchers to infect computers, primarily in Korea. The ransomware virus is using a Tor proxy to communicate with it’s C2 server and is a unique ransomware variant. The virus’s primary goal is to encrypt the files of victims and then add the .MAFIA file extension to them while leaving behind a ransom note file with instructions on how to pay a hefty ransom in order to recover the encrypted files.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionInfects computers and then holds them hostage until a ransom has been paid.
SymptomsFiles have the .MAFIA file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by MAFIA


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MAFIA.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does .MAFIA Ransomware Infect PCs

The primary methods of infection which are conducted by the .MAFIA file ransomware are believed to be via e-mail that may carry the infection file of .MAFIA ransomware. The ransomware virus may be encountered in the form of an e-mail attachment, which aims to pose as a legitimate document, such as:

  • An invoice.
  • An order receipt.
  • Banking statement.
  • Some kind of report.

Either way, the victim is usually asked In the e-mail to check the document and upon opening it, the infection may commence via different types of obfuscated activities, designed to evade Microsoft Windows’s defenses.

Furthermore in addition to this, the ransomware may also be uploaded and pretend to be different types of useful programs, such as:

  • Setups of software.
  • Patches.
  • Cracks.
  • Online license activators.
  • Key generators.

MAFIA Ransomware – Analysis

The MAFIA ransomware is the type of malware which aims to first drop it’s payload files on the computers of users. The main malicious IOC of MAFIA ransomware has been detected to have the following properties:

→ MD5: da23c8a7be5d83ae3e6b7b3291fdb880
SHA1: 419a00476e229f4b2fc85ffd54ed1e32b03c069d
SHA256: d6dee35981698416804548185f09af9c27987a0423e35bffd5b543c50fb9b5e3

The malicious files of MAFIA ransomware may also be dropped in the following Windows Directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

Once the malicious files are dropped, MAFIA ransomware may stop the service AppCheck by running the following command in Windows Command Prompt as an administrator on the compromised machine:

→ sc stop AppCheck

In addition to this, the ransomware may also stop database processes so that it can encrypt active databases on the infected computers.

Furthermore, the author is likely from Korea, because researcher BartBlaze has reported the ransomware virus to have a debug path left, mentioning the name “Jinwoo” in Korean, which could be an indicator of origin.

MAFIA Ransomware – Encryption Process

The encryption procedure of MAFIA ransomware is performed by the OpenSSL encryption mode, which uses the AES-256 algorithm, also known as Advanced Encryption Standard with a 256 bit strenght. This cipher is also used with a CBC encryption mode, which means Cipher Block Chaining. This mode basically means that the encrypted files are tied together in a block chain and tampering with one file can result in the permanent damage of all the files.

Before encrypting files, MAFIA ransomware may first scan for the files to be encrypted and then encode those files. This activity may result in the MAFIA ransomware virus to successfully encrypt the following file types if on your computer:

→ .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ait, .apj, .arw, .asf, .asm, .asp, .asx, .avi, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkp, .bkp, .blend, .bpw, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .csv, .dac, .db-journal, .db3.dbf, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gray, .grey, .gry, .hbk, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .java, .jpe, .jpeg, .jpg, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nx1, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .plc, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .psafe3, .psd, .pspimage, .pst, .ptx, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rtf, .rw2, .rw1, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, sqlite, .sqlite3, .sqlitedb, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .txt, .vob, .wallet, .wav, .wb2, .wmv, .wpd, .wps, .xll, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .ycbcra, .yuv, .zip, .alz, .jar, .png, .bmp, .a00, .gif, .egg

The encryption process is not a fast one because of the OpenSSL used by MAFIA ransomware, so if you have started to see your files to start being encrypted, you can halt this process by immediately shutting down your PC.

After the files are encrypted by this variant of MAFIA ransomware, the virus creates a ransom note, written entirely in Korean and named information.mafia:

The files are also appended the .MAFIA extension and they appear like the following:

Remove MAFIA Ransomware and Restore .MAFIA Files

If you want to remove this version of MAFIA ransomware virus, we recommend that you follow the removal instructions in the article underneath. They have been divided in manual as well as automatic removal instructions with their main goal of being as effective as possible. If you want to remove this ransomware from your computer, but you lack the malware removal experience to do it manually, security experts strongly advise to perform the removal process automatically with the aid of an advanced anti-malware software.

If your files have been encrypted by the MAFIA ransomware virus, we recommend that you follow the alternative file recovery methods in step “2. Restore files, encrypted by MAFIA ransomware underneath.” They have been created in order to help you to try and recover as many encrypted files as possible if the damage has already been done.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share