Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • Slow internet connection
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Mahasaraswati Ransomware

Mahasaraswati Ransomware is one of the newest ransomware infections that might break in your computer. It will be immediately clear to you if you encounter a ransomware infection because it will be impossible to access files. Every time you try to open them you will be instructed to contact cyber criminals by the given email for further information. Do not waste your time on doing that because it is clear that you will be asked to pay money for unlocking files. Believe us; the sum will be large. We understand that users who keep very valuable files might want to transfer money to cyber criminals; however, it is better not to do that. We say so because we know that many similar threats simply seek to extort money but are not going to do anything else in return. Unfortunately, the cipher used by Mahasaraswati Ransomware is quite strong, and it will not be a piece of cake to unlock those files. It is also evident that this infection will lock all of your new files again unless you get rid of it. Therefore, we believe that you should consider removing Mahasaraswati Ransomware. Of course, it will take effort to make it disappear, but it is definitely worth doing that.

It seems that Mahasaraswati Ransomware does not differ much from other ransomware infections the way it acts and is spread. Specialists believe that this infection is mainly spread through spam emails like other existing threats, e.g. Nemucod Ransomware, Zcrypt Ransomware, and JohnyCryptor Ransomware. Theoretically, it might find other ways to sneak onto computers as well. The first symptom that your PC is not protected enough is a different background picture. The threat will set its own picture containing an Indian goddess and the explanation: “Keep calm my friend. All your data is encrypted. To get the key write on email”. You probably understand now why this ransomware infection was given such a strange name Mahasaraswati Ransomware. In fact, this threat will not only change the background, but will also create the .txt file (How to decrypt your files.txt) with instructions. The document will not say much – “To decrypt your data write me to” You can try to contact cyber criminals; however, we are sure that you will be asked to pay a large sum of money to gain access to files again.

You should get the answer from cyber criminals soon. We believe that they send the same answer to all users:

Good morning, dear friend!

We are writing to inform you that our team of network security specialists has analyzed your system and has identified vulnerabilities in the protection.

We kindly draw your attention that defensive operation on your computer is not running properly and now the whole database is at risk.

All your files are encrypted and can not be accepted back without our professional help.

As can be seen, cyber criminals try to convince users that vulnerabilities were found on the system, and they need to pay for “high-grade and quick service” to fix everything. At the time of writing, cyber criminals seek to get 3 Bitcoins (approximately $1 433). It is also said that this has to be done quickly if a user does not want to pay 5 (approximately $2 400) instead of 3 Bitcoins. Unfortunately, the lower price is valid for one day only.

This ransomware infection will add the user’s unique ID and {}.xtbl to each of the encrypted files, so you will see that the threat has locked basically all the most important files, including pictures, documents, music, etc. We can feel your pain; however, we still do not agree that transferring the required amount of money is a clever step. It is because, most probably, cyber criminals will not unlock any of your files, but they will definitely take your money. Specialists say that the free decryption tool that could help you does not exist yet; however, after the removal of Mahasaraswati Ransomware, you will be allowed to restore files if you have their copies. Unfortunately, the majority of users do not have their files backed up and they cannot do anything, which proves again how it is important to have copies of all the major files.

Mahasaraswati Ransomware is not a simple piece of software, so you should not expect to remove it from the system easily. It has been observed that this threat will also block setups of legitimate antimalware tools, e.g. SpyHunter, so you will need to delete Mahasaraswati Ransomware manually first. Specialists at know that there are many users who struggle to do that, so they have prepared the step by step instructions. You are welcome to use them but do not forget that you will have to take care of other threats that might be installed on the system separately, for example, you can scan the system with the antimalware scanner SpyHunter and all the threats will be gone.

Delete Mahasaraswati Ransomware

  1. Launch RUN (Tap Win + R and enter regedit.exe).
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  3. Find the Value with the Value data C:\WINDOWS\System32\{random}.exe or C:\WINDOWS\System32\Saraswati.exe.
  4. Right-click on it and select Delete.
  5. Move to HKEY_CURRENT_USER\Control Panel\Desktop.
  6. Find the Value Wallpaper and delete it.
  7. Close the Registry Editor and open the Windows Explorer (Win + E).
  8. Go to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
  9. Delete the following files:
  • Saraswati.exe (might have a random name too)
  • How to decrypt your files.jpg
  • How to decrypt your files.txt
Download Spyware Removal Tool to Remove* Mahasaraswati Ransomware
  • Quick & tested solution for Mahasaraswati Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.