Remove MafiaWare Ransomware and Restore .Locked-by-Mafia Files (Update March 2017)
THREAT REMOVAL

Remove MafiaWare Ransomware and Restore .Locked-by-Mafia Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by MafiaWare and other threats.
Threats such as MafiaWare may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article will help you remove the MafiaWare ransomware in full. Follow the ransomware removal instructions given at the end of the article.

MafiaWare ransomware is a cryptovirus that is themed around the Mafia. Its payload file is called mafiaware.exe and the extension it places to all files after encryption is .Locked-by-Mafia. When your files become encrypted, the MafiaWare cryptovirus displays a ransom note with instructions for payment. Researchers say that the virus is a variant of HiddenTear. Continue to read and see what ways you could try out to restore some of your files.

Threat Summary

NameMafiaWare
TypeRansomware
Short DescriptionThe ransomware encrypts files on your computer and after that it displays a ransom note.
SymptomsThe ransomware will encrypt your files and put the .Locked-by-Mafia extension on them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by MafiaWare

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MafiaWare.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update, March 2017. Unfortunately, there still hasn’t been a decrypter for MafiaWare. Infected users may try restoring their files via alternative methods such as data recovery software. In addition, security researchers have uncovered a new variant of MafiaWare identified as AngleWare ransomware, appending the .AngleWare to encrypted files. Both AngleWare and MafiaWare belong to the HiddenTear ransomware family, which has been decrypted. Unfortunately, there is no indication that the available decrypter would work on files encrypted by either MafiaWare or AnglewWare.

MafiaWare Ransomware – Delivery Tactics

MafiaWare ransomware could be delivered by utilizing different tactics. The payload file which initiates the malicious script of the ransomware is most commonly found on the Internet by the name mafiaware.exe, although it is renamed to hide its true nature in most cases. You can see the analysis of that executable file containing the payload script, from the screenshot of the VirusTotal website, right here:

MafiaWare ransomware could also be using the tactic to deliver the payload file via social media networks and file-sharing services. Freeware applications found on the Web could be promoted as useful but also could be hiding the malicious script of the virus. Don’t immediately open files after you have downloaded them, especially if they come from suspicious sources, like links and e-mails. Better yet, you should scan them first with some security program. Don’t forget to check the size and signatures of the files for anything unusual. You should read the ransomware preventing tips thread from the forum.

MafiaWare Ransomware – Technical Overview

MafiaWare ransomware is a cryptovirus, which is a variant of the open-source ransomware project HiddenTear, according to various researchers. When the MafiaWare ransomware encrypts your files it will place the extension .Locked-by-Mafia as the extension on each file that gets encrypted.

MafiaWare ransomware could make entries in the Windows Registry to achieve persistence. These registry entries are typically designed in a way that will launch the virus automatically with each launch of the Windows Operating System.

The ransom note appears right after the encryption process is done. The note states what the demands of the cybercriminals are for decrypting your files. You can check out the ransom note from the screenshot down here:

That ransom note reads the following:

Your files has been encrypted by depsex
Pay $155 to my bitcoin address 1CS7xqkujGWQAMq1y54D68QWWKyCz266zz
And send the proof to my email [email protected]

The developers of the MafiaWare virus have put their demands in the simple note shown above. However, you should NOT follow those demands, nor contact the cyber criminals under any circumstances. If you proceed and pay them, no guarantee exists that you will recover your data. Besides, providing money to those crooks will just support them financially and is likely to give them more motivation to do criminal acts such as this one.

For the moment, there is no list of file extensions that the MafiaWare ransomware searches to encrypt. The article will get updated if there is anything new on the matter. The encryption algorithm which is used is believed to be AES and malware researchers say that the ransomware is a variant of the HiddenTear open-source project. Encrypted files will receive the .Locked-by-Mafia extension appended to them. Some of the following extensions are possible to get encrypted:

→.doc, .docx, .pdf, .db, .jpg, .png, .ppt, .pptx, .txt, .xls, .xlsx, .mp3, .flv, .avi

The MafiaWare cryptovirus probably also searches to delete the Shadow Copies from the Windows operating system by using the following command:

→vssadmin.exe delete shadows /all /Quiet

Read on further and find out what methods you can try to restore some of your files.

Remove MafiaWare Ransomware and Restore .Locked-by-Mafia Files

If your computer got infected with the MafiaWare ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Note! Your computer system may be affected by MafiaWare and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as MafiaWare.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove MafiaWare follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove MafiaWare files and objects
2. Find files created by MafiaWare on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by MafiaWare

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...