Mahasaraswati Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Ranking: | 18,765 |
| Threat Level: | 100 % (High) |
| Infected Computers: | 20 |
| First Seen: | May 27, 2016 |
| Last Seen: | January 26, 2023 |
| OS(es) Affected: | Windows |
The Mahasaraswati Ransomware is a ransomware infection from India that encrypts its victim's files and demands the payment of a ransom. The Mahasaraswati Ransomware is part of the CryptoEncoder family of threats. It is characterized because the Mahasaraswati Ransomware displays an image of the Hindu goddess Saraswati in its ransom note. The Mahasaraswati Ransomware encrypts the victim's files and then changes their names, appending a hexadecimal identification code, the email address the Mahasaraswati@india.com and the XTBL extension to them. To decrypt files encrypted by the Mahasaraswati Ransomware, it is necessary to send an email to this email address.
How the Mahasaraswati Ransomware Attacks a Computer
The Mahasaraswati Ransomware is delivered in an executable file, saraswati.exe, which may be distributed using common threat delivery methods. The Mahasaraswati Ransomware changes the affected computer's settings to ensure that it runs as soon as Windows starts up automatically, deletes System Restore points and Shadow Volume Copies of encrypted files, and encrypts the victim's files. The Mahasaraswati Ransomware drops HTML, TXT, and JPG files containing instructions. The files, named 'How to decrypt your files.txt' contain a large image of the Hindu goddess and the following text:
To decrypt your data write me to the Mahasaraswati@india.com
PC security analysts communicated with the email address in the note above, and received the following response:
Good morning, dear friend!
We are writing to inform you that our team of network security specialists has analyzed your system and has identified vulnerabilities in the protection.
We kindly draw your attention that defensive operation on your computer is not running properly and now the whole database is at risk.
All your files are encrypted and can not be accepted back without our professional help.
Obviously vulnerability analysis, troubleshooting, decoding the information and then ensuring safety are not a simple matter.
And so our high-grade and quick service is not free.
Please note that today the price of your files recovery is 3 Bitcoins, but next day it will cost 5 Bitcoins.
You should buy bitcoins here https://localbitcoins.com/faq
Read the paragraphs:
1. How to buy Bitcoins?
2. How do I send Bitcoins and how can I pay with Bitcoins after buying them?
The Bitcoin wallet for payment is 1DGMeKSALSkYGkedYDUgcvV8mP77WEGusQ
After the transfer of bitcoins please send email with screenshot of the payment page.
We does not advise you to lose time, because the price will encrese with each passing day.
As proof of our desire and readiness to help you, we can decipher a few of your files for test.
To check this you can upload any encrypted file on Web site dropmefiles.com, size no more than 10 MB (only text file or a photo) and send us a download link.
Certainly after payment we guarantee prompt solution of the problem, decrypt the database to return to its former condition and consultation how to secure the rules of the system safety.
Kind regards, Saraswati.
The message above is written in a way to prey on inexperienced computer users, making it seem as if the con artists responsible for the Mahasaraswati Ransomware are providing a useful service. Unfortunately, the Mahasaraswati Ransomware attack demands a very elevated ransom amount.
Counteracting the Mahasaraswati Ransomware Infection
It may not be possible to decrypt the files encrypted by the Mahasaraswati Ransomware. Therefore, a backup copy of these files will need to be used to restore the files encrypted by this attack. PC security analysts strongly advise computer users to disconnect any computer infected with the Mahasaraswati Ransomware from a network at once. The effects of ransomware Trojans like the Mahasaraswati Ransomware when they spread within a network can be devastating. The best way to deal with the Mahasaraswati Ransomware and similar attacks is prevention. The utilization of a reliable security product can stop the Mahasaraswati Ransomware and other similar attacks preemptively before they manage to enter your computer and encrypt your files.
