Mahasaraswati Ransomware Removal Guide

Do you know what Mahasaraswati Ransomware is?

Mahasaraswati Ransomware is an infection that is also known by another name, Saraswati Ransomware. This threat might use an image of a Hindi goddess, but it is no less malicious than other ransomware infections out there. In order to initiate the malicious processes that the creator of this threat has intended, a successful distribution scam has to be performed first. Although many ransomware creators use software bundles, fake advertising, and others methods of distribution, our research shows that most of them employ spam email attacks. The infection is downloaded onto the computer as a document, photo, or other interesting file, and it is executed once you open this file. Needless to say, users do not realize they are letting in malware because its execution is silent. If you do not realize that malware has slithered in right there and then, your personal files will be encrypted, and the removal of Mahasaraswati Ransomware will become extremely complicated.

When Mahasaraswati Ransomware encrypts your files, it attaches an extension that helps you identify which files were affected. This extension is “.id-[ID number].{mahasaraswati@india.com}.xtbl”, and it includes an ID number that you are identified by. Every victim has a unique ID, and this is a sign that the creators of this ransomware have the means of decrypting your files. Unfortunately, that does not mean that they would because, after all, they are cyber crooks, and they put their efforts into making money not saving Windows users. Speaking of the decryption of your files, these cyber crooks will demand a ransom payment, but it is not represented via the “How to decrypt your files.txt” file that is created. This text file simply points to the email address (mahasaraswati@india.com) that you supposedly need to contact. The same address is also represented via a desktop notification that shows up after the encryption of your files is successfully completed. Although it is suggested that you need to contact this email to decrypt your files, instead, you will be provided with the instructions on how to do that, and, of course, you will be asked for money. According to our research, users are asked 3 Bitcoins, which is an incredibly large sum of money (around 1586 USD).Mahasaraswati Ransomware Removal GuideMahasaraswati Ransomware screenshot
Scroll down for full removal instructions

The strange thing about Mahasaraswati Ransomware is that it is capable of encrypting .exe files. Although it is unlikely that it will encrypt system files, it can corrupt your browsers, anti-malware software, media players, and various other tools. This is meant to further push you into paying the huge ransom, and it could be used to prevent you from deleting it. Of course, if anti-malware software got encrypted, it means that it was not up-to-date to detect this ransomware, and this kind of software is useless. Unfortunately, this is also an obstacle that can stop you from downloading new, reliable anti-malware software. The good news is that you can still launch the installer of an anti-malware tool after you transfer it from a healthy system. Download the installer and use a flash drive to transfer it onto the infected computer. Automatic removal is the best method because it also guarantees full-time protection and the elimination of all active threats. If you want to proceed manually, here are the instructions.

Remove Mahasaraswati Ransomware

Delete the point of execution

  1. Launch RUN by tapping Win+R keys.
  2. Enter regedit.exe into the Open box and click OK.
  3. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\.
  4. Click Run and locate the list of available values on the right.
  5. Right-click and Delete the value with a random name, such as gjyowqqo (check the value data to see which directory the malicious file is located in, and delete it as well).
  6. Move to HKEY_CURRENT_USER\Control Panel\Desktop.
  7. Right-click and Delete the Wallpaper value.

Erase the files

  1. Launch Explorer by tapping Win+E keys.
  2. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ into the address bar (if you are on Windows XP, enter %ALLUSERSPROFILE%\Start Menu\Programs).
  3. Right-click and Delete these files:
    • Saraswati.exe
    • How to decrypt your files.jpg
    • How to decrypt your files.txt

In non-techie terms:

Mahasaraswati Ransomware is a threat that must be handled with caution. If you erase this infection with all of its files, it is unlikely that you will have the option to decrypt them afterward. This is not something you need to worry about if your files are backed up. Instead, worry about the removal of the ransomware. If you cannot handle the manual removal, install anti-malware software. The latter option is much more beneficial, and you should consider it thoroughly. You must keep in mind that your Windows operating system is extremely vulnerable, and all kinds of malicious threats could invade it without your knowledge. If you wish to prevent this from happening, you must reinforce your system’s security, and we advise doing so with the help of trustworthy anti-malware software.