Mahasaraswati Ransomware

What is Mahasaraswati Ransomware?

Mahasaraswati Ransomware (also known as Saraswati Ransomware) is a new ransomware infection that frequently infects unprotected computers these days. It is a new version of the ransomware infection in the CryptoEncoder family; however, it can be distinguished from others because it sets the image of the Indian goddess Saraswati as Desktop background. This is the only unique feature because Mahasaraswati Ransomware acts exactly like other well-known ransomware infections, for example, ODCODC Ransomware, zCrypt Ransomware, and Nemucod Ransomware. Researchers at anti-spyware-101.com have observed that it locks files immediately after it sneaks onto the computer and then asks users to pay a ransom for the decryption of files. We hope that we will help you to decide whether or not to pay money.

What does Mahasaraswati Ransomware do?

The major goal of ransomware infections is to make users pay money. Therefore, these infections lock files the first thing after they manage to enter the system. In case of Mahasaraswati Ransomware, this infection encrypts two types of files: document files and binary files. To be more specific, this threat will lock .ppt, .jpg, .exe, .dll, and a bunch of files with different filename extensions. Luckily, it will not touch system files. There is no doubt that a file is encrypted and cannot be opened if you see the new extension .id-*********.{mahasaraswati@india.com}.xtbl added next to (* - any number or letter) original extensions, for example, file.exe.id-342AA52A.{mahasaraswati@india.com}.xtbl. The threat will also create How to decrypt your files.txt and will put these files on Desktop and other directories. You will not find much in these files: “To decrypt your data write me to Mahasaraswati@india.com.” The text on the picture which will be set as Desktop background will not say much either: “Keep calm, my friend. All your data is encrypted. To get the key write on email mahasaraswati@india.com.”

We have contacted cyber criminals for you and received the answer quite quickly. We believe that they send the same email letter to all the users who contact them. If it is true, you will be asked to transfer 3 Bitcoins (approximately $1 588) for the decryption of files. Unfortunately, the ransom might increase if a user decides to pay money later. It might even reach 5 Bitcoins. Cyber criminals that hide behind this ransomware infection seek to convince users that they have nothing to do with that, and they just want to help them:

We are writing to inform you that our team of network security specialists has analyzed your system and has identified vulnerabilities in the protection.

We kindly draw your attention that defensive operation on your computer is not running properly and now the whole database is at risk.

All your files are encrypted and can not be accepted back without our professional help.

Obviously vulnerability analysis, troubleshooting, decoding the information and then ensuring safety are not a simple matter.

And so our high-grade and quick service is not free.

Do not pay money whatever cybercrooks say because there are no guarantees that your files will be unlocked after you transfer the required money. In fact, you do not even need to do that if you have copies of your files. Last but not least, we are sure that the free decryption tool will be released sooner or later. Of course, you will not be able to use your computer freely if you wait for the decryptor to be released because Mahasaraswati Ransomware blocks .exe files (you will not be able to open your programs), and it will also encrypt new files you create.

Where does Mahasaraswati Ransomware come from?

It is unclear how Mahasaraswati Ransomware is distributed; however, we suspect that it is spread like other similar threats. In other words, it comes as a spam email attachment. Many users open these attachments because they pretend to be good files, e.g. an invoice in .pdf or .doc formats. What’s more, this ransomware might also be spread through corrupted websites whose vulnerabilities have been exploited. Users who want to be sure that their systems are safe should install security software on their computers. We are sure that this will be enough to protect the computer from harm; however, your security software must be 100% trustworthy.

How to delete Mahasaraswati Ransomware

As it is already known, this ransomware infection will block all .exe files, so you will have to delete files of this threat in a manually way or transfer the setup of a legitimate antimalware tool from another computer. If you have decided to take care of this threat in a manual way, you should definitely use our step by step instructions you can find below this article. Keep in mind that the deletion of Mahasaraswati Ransomware does not mean that your PC is perfectly clean because other threats might hide on your computer too. To find out whether or not it is true, scan your PC with SpyHunter (you can download its diagnostic scanner from our website).

Remove Mahasaraswati Ransomware manually

1. Launch RUN (press Windows key + R simultaneously, enter regedit.exe, and click OK).
2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
3. Find the Value with a random name containing the value data C:\WINDOWS\System32\{random}.exe or C:\WINDOWS\System32\Saraswati.exe.
4. Right-click on it and select Delete.
5. Go to HKEY_CURRENT_USER\Control Panel\Desktop.
6. Right-click on the Wallpaper Value and delete it.
7. Close the Registry Editor and open the Explorer.
8. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup in the address bar.
9. Tap Enter.
10. Locate the following files and remove them one after the other: Saraswati.exe (the name of the file might differ), How to decrypt your files.jpg, and How to decrypt your files.txt.

Download Removal Tool100% FREE spyware scan and
tested removal of Mahasaraswati Ransomware*