Saraswati Ransomware Removal Guide

Ransomware is one of the most dangerous mainstream malware out there, and its number is growing by the day. In this article, we will discuss Saraswati Ransomware, a new ransomware that can encrypt your files and you will not be able to access them as a result. Its owners demand that you pay a ransom in exchange for a decryption key that is necessary to decrypt the files. This ransomware uses a strong encryption cipher, so it is next to impossible to decrypt using third-party tools. However, if you opt to pay the ransom, then get ready to pay a hefty sum. However, we want to stress that you might not receive the decryption key because the cyber crooks might not send it to you at all, so you so you should consider getting rid of this ransomware.

It is somewhat amusing that the cyber crooks responsible for creating this ransomware have the audacity to claim in the ransom note that “We are writing to inform you that our team of network security specialists has analyzed your system and has identified vulnerabilities in the protection” as if they had nothing to do with your computer becoming vulnerable in the first place. Since Saraswati Ransomware has been released only recently, so we do not know too much about its distribution methods. We believe that it might be featured on compromised websites that feature Java or Adobe Flash vulnerabilities. Thus, your computer might become infected with this ransomware as a result of interacting with Java or Flash-based content.

When this malware enters a computer, it scans it for files of interest, particularly those that contain valuable personal information, such as .doc, .xls. .ppt, and .jpg. Nevertheless, it also scans for software-related files such as .exe and .dll in order to corrupt certain applications and prevent them from running. When it encrypts a file, it adds the .id-B4500913.{mahasaraswati@india.com}.xtbl, but take note that the ID number varies. After the encryption is complete, it changes the desktop wallpaper to an image depicting the Indian goddess Saraswati. This wallpaper also features text that says “Keep calm my friend. All your data is encrypted. To get the key write on email mahasarawasti@india{.}com” Given that the cyber crooks have a liking for Indian culture, we assume that they originate from India and thought it would be nice to represent their cultural symbol in this way.

In any case, at first, the cybercrooks do not state how to get the decryption key, but if you contact them via the provided email, then you will get a reply that contains further instructions on what to do next. We think that they send the same email to each victim, so it should say “Please note that today the price of your files recovery is 3 Bitcoins, but next day it will cost 5 Bitcoins.” So their “recovery” services are not free, and that is not surprising knowing that they are the ones that got your files encrypted in the first place. 3 BTC in May of 2016 are 1412.73 USD, and 5 BTC are 2354.55 USD. These are quite substantial sums of money, so paying for the decryption key that you might not get is risky. Of course, the cyber crooks state that if you send them a small encrypted file, they will send you it back decrypted, but we do not recommend that you try this.

Now let us get technical. Our analysis has revealed that Saraswati Ransomware consists of only one executable file. Its file name is saraswati.exe, and it should be 114688 bytes in size. This file can be dropped in C:\Users\{user name}\AppData\Roaming, C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup or C:\WINDOWS\System32. Additional files include How to decrypt your files.jpg and How to decrypt your files.txt that are placed on the desktop and C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. Saraswati Ransomware creates a registry key (key location is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. It contains a random value key "gjyowqqo" and its value data is C:\WINDOWS\System32\random.exe or Saraswati.exe) that launches its executable on system startup. Also, it creates a registry key at HKEY_CURRENT_USER\Control Panel\Desktop to modify the Wallpaper string to be set from C:\Users\user\How to decrypt your files.jpg on system startup. Furthermore, the instructions on how to pay the ransom are run from %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Saraswati.exe, %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\How to decrypt your files.jpg, %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\How to decrypt your files.txt. You have to delete all of these files and registry keys to restore your computer’s security.

In closing, Saraswati Ransomware is a dangerous infection that is set to encrypt your personal files and demand that you pay a ransom in exchange for the decryption key. However, the cyber crooks ask for an outrageous sum of money, and we think that they might not give it to you even if you pay. Therefore, we suggest that you remove this infection using our manual removal instructions or our featured anti-malware tool called SpyHunter. As stated above, some files are named randomly, so detecting them on your own may be a difficult task. Still, if you want to attempt to delete the files manually, then please consult the instructions below.

Delete Saraswati Ransomware manually

1. Simultaneously press Windows+E keys.
2. In the Explorer window’s address bar enter the following directories.
   • C:\Users\{user name}\AppData\Roaming
   • C:\WINDOWS\System32
   • C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
3. Locate Saraswati.exe (but the executable can be named randomly) and delete it.
4. Also, you should go to C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup and delete How to decrypt your files.jpg and How to decrypt your files.txt

Delete Saraswati Ransomware’s registry key

1. Simultaneously press Windows+R keys.
2. Type regedit in the box and click OK.
3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. Find the randomly named string (e.g. gjyowqqo, lttmrsuc) containing Value data such as C:\WINDOWS\System32\Saraswati.exe (directory may vary.)
5. Then, go to HKEY_CURRENT_USER\Control Panel\Desktop
6. Find the string Wallpaper with Value data C:\Users\user\How to decrypt your files.jpg
7. Delete the Value data.