Home / Spyware Help / Saraswati Ransomware Removal Guide

Saraswati Ransomware Removal Guide

by 0 Comments

Do you know what Saraswati Ransomware is?

If your computer has been infected with Saraswati Ransomware and you are looking for ways to remove it, then you have come to the right website. This infection is set to encrypt your precious files and demand that you pay a ransom to its developers to get your files back. Unfortunately, there is no way to decrypt the files without the decryption key from the developers. Nevertheless, there is no assurance that you will get this key even if you pay the ransom. Therefore, we offer you to delete it using our instructions, but before we get to that, please read this short description that will give you more information about this nasty infection.

We are almost certain that Saraswati Ransomware was developed by cyber criminals based in India because Saraswati is the name of a Hindu goddess of knowledge music, arts, wisdom, and learning. This fact becomes more apparent when you see the image of Saraswati on your desktop because this ransomware was configured to change it to draw your attention. Even though this ransomware was created in India, it interacts with its victims in English. Therefore, it can be said that Saraswati Ransomware was created with the intention of distributing it around the globe.

However, its distribution methods remain elusive. Our malware researchers have found unconfirmed information that it is being distributed using Adobe Flash and Java exploits. Therefore, it must be hosted on specific websites. However, we do not rule out the possibility of it being sent in an attachment to a fraudulent email — a favorite tactic of the cyber criminals. Also, it might be found on piracy websites that host software keygens and cracks. In short, how Saraswati Ransomware is distributed is still anyone’s guess, but we doubt that its developers have come up with something innovative, which is a good thing because you can avoid getting it.Saraswati Ransomware Removal GuideSaraswati Ransomware screenshot
Scroll down for full removal instructions

If this ransomware has entered your computer, then it could have dropped its main executable file in C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, C:\Users\User name\AppData\Roaming or C:\WINDOWS\System32. In most cases, its executable file is named as saraswati.exe, but the name can be randomized as well. Therefore, manual detection gets a bit tricky. This executable should be 114688 bytes and its MD5 is 67f54ddc01178bb5878fe14a567813fc. This information will help you identify the executable. In addition to this file, Saraswati Ransomware also creates to files named How to decrypt your files.txt and How to decrypt your files.jpg that contain instructions on how to pay the ransomware. However, they are uninformative as How to decrypt your files.txt, for example, only contains text saying “To decrypt your data write me to mahasaraswati@india.com.” If you write to the cyber criminals, then they will reply with a ready-made text that, in addition to other things, states:

We are writing to inform you that our team of network security specialists has analyzed your system and has identified vulnerabilities in the protection. We kindly draw your attention that defensive operation on your computer is not running properly and now the whole database is at risk. All your files are encrypted and can not be accepted back without our professional help.

The cyber criminals offer you tech support if you are not tech-savvy. The text contains information on how to buy Bitcoins (BTC) because it wants you to pay 3 BTC which is 1412 USD, but if you delay the payment, then the ransom will increase to 5 BTC which is 2354 USD. That is much money to pay, and you may be tempted to do so if you have highly important information that has been encrypted.

Furthermore, this ransomware will create a registry key in Windows Registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. This key should contain a randomly named subkey and its Value data should be one of the three directories mentioned above (e.g. C:\WINDOWS\System32\ saraswati.exe.) Also, it will create another key at HKEY_CURRENT_USER\Control Panel\Desktop that is responsible for modifying your desktop’s wallpaper. The Wallpaper subkey should contain Value data, such as C:\Users\user\How to decrypt your files.jpg. You need to delete all of these files and registry keys to eradicate this ransomware in its entirety.

If you want to remove this ransomware manually, then please follow the instructions created by our malware analysts at the end of this description. However, if you experience problems, then we suggest using our recommended antimalware program that you can download from our website. In closing, we want to stress that the cyber criminals might not keep their word and will not give to the decryption key because you cannot trust people that want to extort money from you.

How to delete this ranomware

  1. Press Windows+E keys.
  2. Enter each of the following directories in the address bar.
    • C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    • C:\Users\{user name}\AppData\Roaming
    • C:\WINDOWS\System32
  3. Find Saraswati.exe and delete it.
  4. Then, enter C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  5. Find and delete How to decrypt your files.jpg and How to decrypt your files.txt

Delete the registry keys

  1. Press Windows+R keys.
  2. Type regedit in the box and click OK.
  3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Find the randomly named subkey containing Value data such as C:\WINDOWS\System32\saraswati.exe
  5. Then, go to HKEY_CURRENT_USER\Control Panel\Desktop
  6. Find the Wallpaper subkey with Value data C:\Users\user\How to decrypt your files.jpg and delete it.

In non-techie terms:

Saraswati Ransomware can decrypt your personal files and demand that you pay a ransom for the decryption key to get them back. However, they might not give you the key after you have paid, so we do not recommend doing so. It uses an advanced encryption method so decrypting your files with third-party software is useless. Therefore, you should consider deleting the files using our instructions or recommended antimalware tool.