Saraswati Ransomware

What is Saraswati Ransomware?

Saraswati is a holly symbol in the Hinduism world, but it is not that holly to the creators of the Saraswati Ransomware who have exploited the image of the goddess for malicious purposes. The image of the goddess appears on the desktop along with a message that tells you to keep calm and contact an email provided (mahasaraswati@india.com). Chances are that the creator of this malicious ransomware is located in India, but this could also be a trick to conceal the true location. Well, wherever these malicious malware distributors are located, they have developed the ransomware to get you. Some users rush to delete Saraswati Ransomware from their computers thinking that this is the only way to get their files decrypted. Unfortunately, that is not the case. Once this threat encrypts your files, the decryption key is hidden from you to force you into paying the ransom.

How does Saraswati Ransomware work?

Although Saraswati Ransomware from the CryptoEncoder family is similar to Cryptxxx Ransomware, CryptoHost Ransomware, and all other infections that are set up to encrypt files, this one is a little different in a sense that it requires you to contact the email provided for further instructions. If you contact the email, you are likely to get a response quickly with a Bitcoin wallet address, which you need to transfer the money. According to the information provided via the email response, you are required to contact mahasaraswati@india.com again after you make the payment with a screenshot proving that. To prove their “good intentions”, cyber criminals might offer decrypting one file, but that does not mean that all files will be decrypted once they get what they want, which is a payment of 3 BTC (~$1425/€1267). Of course, the sum might be different in your case, but it is likely to be incredibly big. Furthermore, threats to increase the ransom day by day are likely to be presented via the email as well. Here is the initial screen notification.

Keep calm, my friend.
All your data is encrypted.
To get the key write on email mahasaraswati@india.com

This email address is also present in the extension added to the encrypted files, which silently pushes to contact cyber criminals as well. “.id-{ID}.{mahasaraswati@india.com}.xtbl” is the extension that is attached to your personal files with a unique identification number that identifies you as a unique victim of the ransomware. Speaking of the files Saraswati Ransomware encrypts, we have found that besides corrupting documents, photos, and other personal files, it also encrypts executables. This means that your browsers and other applications installed on your PC might be inaccessible as well. Although these files can be replaced, they are encrypted to stop you from gathering information and taking action against this ransomware. Unfortunately, some users pay the ransom because they believe that this is payment requested by trustworthy security specialists. The email sent to you by cyber criminals might inform you that the so-called security specialists are working hard to fix the vulnerabilities in your system’s protection. There is no denying that your operating system is vulnerable, but you should not rely on cyber crooks to fix that.

How to delete Saraswati Ransomware

Although removing Saraswati Ransomware does not solve the problem of file decryption, Anti-Spyware-101.com researchers warn it is crucial to erase this malicious infection. In the best case scenario, you will have your files backed up, in which case, you do not need to fear the encryption at all. However, if you have not taken the time to protect your files, you might think that paying the ransom is your only option. Well, have you looked into third-party decryption tools? Have you looked at the files encrypted by this threat? Maybe they aren’t even worth decrypting? Hopefully, you will find a solution because paying the ransom is extremely risky. Keep in mind that cyber criminals are dangerous, and they are unlikely to keep their promises to help you out, no matter how much money you pay them.

Removal Instructions

1. Delete the How to decrypt your files.txt and How to decrypt your files.jpg files from the Desktop.
2. Launch Explorer (tap Win+E).
3. Use the bar at the top to access %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ (enter the directory into the bar).
4. Delete these files: Saraswati.exe, How to decrypt your files.jpg, and How to decrypt your files.txt.
5. Launch RUN (tap Win+R).
6. Type regedit.exe into the dialog box and select OK.
7. Navigate to HKEY_CURRENT_USER\Control Panel\Desktop.
8. Right-click and Delete the Wallpaper value (after this you will be able to apply any desktop image you want).
9. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
10. Right-click and Delete the random value name (e.g., gjyowqqo) associated with the ransomware.

N.B. Use the comments section below to post your questions about the ransomware, its removal, and the file encryption or decryption processes.

Download Removal Tool100% FREE spyware scan and
tested removal of Saraswati Ransomware*