Home Malware Programs Ransomware Mahasaraswati Ransomware

Mahasaraswati Ransomware

Posted: May 27, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 49
First Seen: May 27, 2016
Last Seen: May 8, 2023
OS(es) Affected: Windows

The Mahasaraswati Ransomware is a Trojan that encrypts your files and then promotes an e-mail address for 'security specialists' who will sell you the matching decryption key. While these attacks can cause permanent damage to your personal data, paying these ransoms does not always result in a reciprocal exchange of services, and malware experts can recommend any of several free alternatives. PC users removing the Mahasaraswati Ransomware infections should be sure to use full system analyses by their anti-malware scanners, which should detect other components related to this campaign, such as any Trojan droppers.

Subjecting Your PC to the 'Art' of Encryption

The Hindu goddess of arts Saraswati may form an essential part of the world's third-largest religion, but threat authors aren't known for being especially devout. At least one threat campaign has chosen to turn this deity into a personal mascot for file-encrypting attacks, with the goddess delivering the initial ransom instructions and rerouting you to a con artist. The formats of these attacks are similar to those of earlier threats seen by malware experts, such as the suspected Rakhni derivatives of the JohnyCryptor Ransomware and the 'Av666@weekendwarrior55' Ransomware.

The Mahasaraswati Ransomware uses changes to the system Registry for enabling its automatic launch, and, afterward, scans for data formats including spreadsheets or text documents. The Trojan gives all names a series of system-specific ID numbers, as well as the e-mail address that con artists intend their victims to contact. More significantly, each file also is modified by an encryption algorithm that changes the underlying data, turning it into uninterpretable content.

Besides its most obvious symptoms, malware experts saw some traits of the Mahasaraswati Ransomware setting this threat apart from similar Trojans. Its ability to encrypt even executable (or EXE) programs and its slightly unconventional file path (based on the Roaming directory) make it relatively creative compared to other file encryptors with otherwise identical payloads.

Trumping the Wisdom of Surrendering to a Hoax with a Common-Sense Solution

The Mahasaraswati Ransomware's con artists have histories of pretending to offer security services as a 'legitimate' company, although other aspects of their trade (such as an insistence on Bitcoin payments) make their tactic instantly identifiable. Between the free decryptors regularly released by the PC security sector, and the widespread availability of backup storage, you never should need to pay for your data's recovery. Similarly, PC owners never should take security recommendations delivered through unusual pop-ups, regardless of the nature of the iconography included in the images.

The Mahasaraswati Ransomware also provides another, unintentional incentive to back your content up: the fact that its ransoms range from moderately to extremely high, starting at over a thousand USD with a ceiling of nearly two thousand. While this ransom fee is much greater than that of other Trojans of its type, malware experts have found no relationship between the expense of a Trojan's ransom demands and the complexity of its encryption routine.

Since anti-malware programs typically don't include decryption features, deleting the Mahasaraswati Ransomware and restoring your data require separate strategies. However, always removing the Mahasaraswati Ransomware first will re-secure your PC and give you a safe foothold from which to use other security tools, or restore from a backup.

Initial evidence suggests that the Mahasaraswati Ransomware may be installing itself through pirated software torrents, such as cracked copies of the Crysis shooter, although other infection avenues are just as open.

Loading...