A ransomware crypto-virus that goes by the name of Mahasaraswati is spreading around the Web. The email left for victims with instructions to pay the ransom is located in India, although the origin of the ransomware and its creator is unknown. The virus locks files and puts an extension ending in [email protected] to each file. The money demanded as a ransom is 3 Bitcoins. To see how to remove this ransomware and how you could restore your files, you should read the article carefully.
|Short Description||The ransomware encrypts files with an extension ending in [email protected] and demands a ransom of 3 BitCoins.|
|Symptoms||The ransomware will encrypt files on your computer. Two files named How to decrypt your files are created, containing the instructions for payment.|
|Distribution Method||Spam Emails, Email Attachments, Executable Files|
|Detection Tool|| See If Your System Has Been Affected by Mahasaraswati |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Mahasaraswati.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Mahasaraswati Ransomware – Delivery
Mahasaraswati ransomware is delivered in a few ways. As other modern ransomware viruses, this one also uses spam emails as the main delivery method. The emails have files as attachments that have the malware code inside them. In some rare cases, the body of the email itself might activate malicious code.
Getting infected with the ransomware is also possible through social media websites or via file-sharing services. These mediums might also spread malware code disguised as an executable or a file of a useful app. The best prevention tactic against any ransomware is to avoid any and all suspicious files. Do not click, open or download files that seem fishy.
Mahasaraswati Ransomware – Information
Mahasaraswati is the name of a ransomware crypto-virus. The ransomware is presented as a program for making your computer secure as if IT professionals are offering you help. The creators of the ransomware try to push the whole thing as a service. They offer not only to unlock your files but also put a good anti-malware on your PC.
The truth is that the virus just encrypts your files and asks a ransom, although the ransom note is written in a clever way. For every day, you do not pay the money to revert the changes, the sum increases with 2 Bitcoins.
A picture and a text file with the same name are created after the encryption process is complete. Both files are named How to decrypt your files.
Both the .txt and .jpeg files contain instructions for the ransom payment and can be found in every directory with encrypted files. The .txt can be previewed in the picture below:
Both of the files read the following:
Good morning, dear friend!
We are writing to inform you that our team of network security specialists has analyzed your system and has identified vulnerabilities in the protection. We kindly draw your attention that defensive operation on your computer is not running properly, and now the whole database is at risk. All your files are encrypted and can not be accepted back without our professional help. Obviously vulnerability analysis, troubleshooting, decoding the information and then ensuring safety are not a simple matter. And so our high-grade and quick service is not free.
Please note that today the price of your files recovery is 3 Bitcoins, but next day it will cost 5 Bitcoins.
You should buy bitcoins here http://localbitcoins.com/faq
Read the paragraphs:
1. How to buy Bitcoins?
2. How do I send Bitcoins and how can I pay with Bitcoins after buying them?
The Bitcoin wallet for payment is –
After the transfer of bitcoins please send email with screenshot of the payment page.
We does not advise you to lose time, because the price will encrese with each passing day.
As proof of our desire and readiness to help you, we can decipher a few of your files for test.
To check this you can upload any encrypted file on web site dropmefiles.com, size no more than 10 MB
(only text file or a photo) and send us a download link. Certainly after payment we guarantee prompt solution
of the problem, decrypt the database to return to its former condition and consultation how to secure the rules of the system safety.
Kind regards, Saraswati.
The ransom note cleverly written and tries to trick you that the ransomware creators are IT professionals trying to help you. Like something else has locked your files, and for them to unlock them, you need to pay 3 Bitcoins within one day. 3 Bitcoins equals to 1350 US dollars estimated from the time of this article being written. According to the instructions, the price for decryption will increase with 2 Bitcoins with each day that passes.
Do NOT pay the ransom or even think of paying. Doing this will give funds to the owner of the ransomware, which will probably be used to create a stronger virus or support other criminal activities. No way is there to know if you will get your files decrypted or if you will be contacted back in the first place.
The Mahasaraswati ransomware encrypts files of different types. It is certain that documents and pictures are going to be encrypted. Those are still one of the most precious files to users as they have valuable information on them or family photos. The encryption process of the ransomware encrypts the following file extensions:
→.html, .jpg, .jpg2, .pdf, .png, .ppt, .pptm, .pptx, .bmp, .doc, .docm, .docx, .docxml, .docz, .gif, .rtf, .tar, .targz, .targz2, .txt, .xlmv, .xls, .xlsm, .xlsx, .xml, .tarlzma, .tarxz
The list of file extensions shown above is probably incomplete, but these are the main file that will be encrypted. After the encryption process is done, all files will have the same extension – .id-[The ID of the infected user]. [email protected].
Mahasaraswati ransomware might delete Shadow Volume Copies from the Windows Operating System. You should still check this as there could be different versions of the ransomware in the wild.
Remove Mahasaraswati Ransomware and Restore [email protected] Files
If your computer is infected with the Mahasaraswati ransomware, you should have at least some experience in removing viruses. You should get rid of this ransomware fast as it can spread deeper through the network and infect more files. The recommended action is to remove the ransomware and follow the step-by-step instructions provided below.