Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Can't be uninstalled via Control Panel
  • Installs itself without permissions
  • Connects to the internet without permission
  • System crashes
  • Slow Computer

Saraswati Ransomware

The first sign of the Saraswati Ransomware is an image that appears on your desktop stating that your data was encrypted and that further information can be provided after you contact mahasaraswati@india.com. Needless to say, cyber criminals are behind this email address, and your interaction with them can do two things. First of all, you will be given further instructions that involve paying a huge ransom. Second, you will disclose your personal email that could be recorded and used for scams in the future. According to our research, this infection successfully encrypts personal files, such as .doc, .ppt, and .jpg files, as well as binary files, which include executables and dynamic link library files. Unfortunately, it is likely that the only way to restore the files encrypted is to follow the demands of cyber criminals, but that is that last thing you should resort to. Continue reading to learn more about the situation, as well as the removal of Saraswati Ransomware.

The entrance of Saraswati Ransomware is very unpredictable. It is most likely that this devious infection will be spread via file-sharing websites or via corrupted spam email attachments. It could also be downloaded onto your computer by existing Trojans, in which case, you have more problems than you think. As soon as this threat is installed, it uses one of the encryption algorithms to encrypt certain files. Ransomware infections are set up to look at certain directories and encrypt files of certain types. Obviously, this threat primarily targets files that are important to you. Considering that not all users back up their files, cyber criminals are successful at pushing them into paying ransoms once their files are encrypted. The problem is that ransomware is unpredictable, and we have seen plenty of examples where files were not decrypted after the payments are made. Do you want to lose your money without a reason? Of course, you do not, which is why you have to take some time to weigh all of your options.

The files that Saraswati Ransomware silently encrypts are given a unique, highly noticeable extension, .id-{number}.{mahasaraswati@india.com}.xtbl. The {number} part in this extension is unique for every user as it reveals a personal identification number. 2016calendar.id-{A1234567}.{mahasaraswati@india.com}.xtbl is an example of a file encrypted by this malicious ransomware. Besides encrypting your files, this infection also creates its own files in the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ directory as well as the Desktop. “How to decrypt your files.txt” and “How to decrypt your files.jpg” are the files that are created on the Desktop. Needless to say, the later file represents the image notification, and the TXT file represents a text file that further pushes to contact the email address. If you do that, you are likely to receive an email informing that system vulnerabilities were found. Cyber criminals might proceed to present themselves as “security specialists” who supposedly are kind enough to help you if you pay a ransom of 3 Bitcoins. If you do not know this already, 3 BTC translates to around 1425 USD. What is more, you might be informed that the sum would increase if you did not make the payment within the first day.

You need to install anti-malware software to erase the threats active on your computer, but you cannot do that if the files of your browsers got encrypted. Fortunately, you can easily transfer the installer of a reliable malware remover from a healthy computer. If you are not interested in automatic removal, and you are looking into manual removal, we have created a guide below that shows which registries and files you need to erase from your Windows operating system. Needless to say, you should download anti-malware software even if you successfully delete Saraswati Ransomware because you want to erase all other threats as well. As mentioned previously, malware could be responsible for downloading the ransomware itself, in which case, you must eliminate the remaining threats as well. Furthermore, only reliable anti-malware software can ensure that malicious threats do not attack you in the future. Unfortunately, most users do not rush to erase this threat because it has a hold over their personal files. If your files are backed up, erase the ransomware ASAP. If you are thinking about paying the ransom, exhaust all other option first.

Saraswati Ransomware Removal

  1. Simultaneously tap Win+R to launch RUN.
  2. Enter regedit.exe to launch Registry Editor.
  3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  4. Right-click and Delete the value with a random name whose value data includes the directory of the malicious files (e.g., C:\WINDOWS\System32\{random}.exe or Saraswati.exe).
  5. Navigate to HKEY_CURRENT_USER\Control Panel\Desktop.
  6. Right-click and Delete the value named Wallpaper (value data C:\Users\user\How to decrypt your files.jpg).
  7. Simultaneously tap Win+E to launch Explorer.
  8. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ into the address bar.
  9. Delete these files: Saraswati.exe, How to decrypt your files.jpg, How to decrypt your files.txt.
Download Spyware Removal Tool to Remove* Saraswati Ransomware
  • Quick & tested solution for Saraswati Ransomware removal.
  • 100% Free Scan for Windows
disclaimer
Disclaimer

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.