Remove MafiaWare Ransomware and Restore .Locked-by-Mafia Files (Update March 2017)

Remove MafiaWare Ransomware and Restore .Locked-by-Mafia Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will help you remove the MafiaWare ransomware in full. Follow the ransomware removal instructions given at the end of the article.

MafiaWare ransomware is a cryptovirus that is themed around the Mafia. Its payload file is called mafiaware.exe and the extension it places to all files after encryption is .Locked-by-Mafia. When your files become encrypted, the MafiaWare cryptovirus displays a ransom note with instructions for payment. Researchers say that the virus is a variant of HiddenTear. Continue to read and see what ways you could try out to restore some of your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and after that it displays a ransom note.
SymptomsThe ransomware will encrypt your files and put the .Locked-by-Mafia extension on them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by MafiaWare


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MafiaWare.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update, March 2017. Unfortunately, there still hasn’t been a decrypter for MafiaWare. Infected users may try restoring their files via alternative methods such as data recovery software. In addition, security researchers have uncovered a new variant of MafiaWare identified as AngleWare ransomware, appending the .AngleWare to encrypted files. Both AngleWare and MafiaWare belong to the HiddenTear ransomware family, which has been decrypted. Unfortunately, there is no indication that the available decrypter would work on files encrypted by either MafiaWare or AnglewWare.

MafiaWare Ransomware – Delivery Tactics

MafiaWare ransomware could be delivered by utilizing different tactics. The payload file which initiates the malicious script of the ransomware is most commonly found on the Internet by the name mafiaware.exe, although it is renamed to hide its true nature in most cases. You can see the analysis of that executable file containing the payload script, from the screenshot of the VirusTotal website, right here:

MafiaWare ransomware could also be using the tactic to deliver the payload file via social media networks and file-sharing services. Freeware applications found on the Web could be promoted as useful but also could be hiding the malicious script of the virus. Don’t immediately open files after you have downloaded them, especially if they come from suspicious sources, like links and e-mails. Better yet, you should scan them first with some security program. Don’t forget to check the size and signatures of the files for anything unusual. You should read the ransomware preventing tips thread from the forum.

MafiaWare Ransomware – Technical Overview

MafiaWare ransomware is a cryptovirus, which is a variant of the open-source ransomware project HiddenTear, according to various researchers. When the MafiaWare ransomware encrypts your files it will place the extension .Locked-by-Mafia as the extension on each file that gets encrypted.

MafiaWare ransomware could make entries in the Windows Registry to achieve persistence. These registry entries are typically designed in a way that will launch the virus automatically with each launch of the Windows Operating System.

The ransom note appears right after the encryption process is done. The note states what the demands of the cybercriminals are for decrypting your files. You can check out the ransom note from the screenshot down here:

That ransom note reads the following:

Your files has been encrypted by depsex
Pay $155 to my bitcoin address 1CS7xqkujGWQAMq1y54D68QWWKyCz266zz
And send the proof to my email

The developers of the MafiaWare virus have put their demands in the simple note shown above. However, you should NOT follow those demands, nor contact the cyber criminals under any circumstances. If you proceed and pay them, no guarantee exists that you will recover your data. Besides, providing money to those crooks will just support them financially and is likely to give them more motivation to do criminal acts such as this one.

For the moment, there is no list of file extensions that the MafiaWare ransomware searches to encrypt. The article will get updated if there is anything new on the matter. The encryption algorithm which is used is believed to be AES and malware researchers say that the ransomware is a variant of the HiddenTear open-source project. Encrypted files will receive the .Locked-by-Mafia extension appended to them. Some of the following extensions are possible to get encrypted:

→.doc, .docx, .pdf, .db, .jpg, .png, .ppt, .pptx, .txt, .xls, .xlsx, .mp3, .flv, .avi

The MafiaWare cryptovirus probably also searches to delete the Shadow Copies from the Windows operating system by using the following command:

→vssadmin.exe delete shadows /all /Quiet

Read on further and find out what methods you can try to restore some of your files.

Remove MafiaWare Ransomware and Restore .Locked-by-Mafia Files

If your computer got infected with the MafiaWare ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share