Remove MafiaWare Ransomware File Virus (.Locked-by-Mafia Extension)

How to Remove MafiaWare Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

Your files has been encrypted by depsex
Pay $155 to my bitcoin address [redacted]
And send the proof to my email dompetpresiden@gmail.com

MafiaWare is the rather intriguing name, given to the latest member of the ransomware family. The MafiaWare tool is a newly-discovered cyber menace. But, though, it bears a new name, it’s rather an old threat in new packaging. The infection’s programming is standard. It acts the same way as all other tools of its type. It follows the simple rules: Invade. Corrupt. Extort. It’s simple, and it works. Many users fall in the ransomware trap. And, even worse, many of those users play its games. They choose to participate in a game, that’s set up for them to fail. Understand this. When faced with a ransomware, you face a lose-lose situation. These threats are designed to exploit you any way, they can. They’re set up by cyber extortionists. Don’t think they have your best interests at hand. These are malicious strangers with wicked agendas. They will bleed you dry, and double-cross you in the end. So, do yourself a favor, and follow experts’ advice. Do not play the game, the ransomware sets up. We say again: Don’t participate. Don’t comply. To only lose your files is the best-case scenario. You face much worse ones if you attempt to play the rigged game. Heed experts, and make the tough but wise choice to forsake your files. It’s difficult to say goodbye to all your data, but it’s the right thing to do.

How did I get infected with?

The MafiaWare infection sneaks into your system via deception. It uses every known trick in the book to get you to allow it in. Yes, you allow it into your computer. But don’t be too hard on yourself. You don’t realize it at the time. Confused? Let’s explain. Ransomware tools need user’s okay to enter a system. They have to ask for it, and receive it before they enter. In other words, they seek your consent on installment. And, if you don’t give it, no admission. Most online threats follow that same pattern. And, turn to the old but gold methods of infiltration for help. Freeware, spam email attachments, fake updates, corrupted links. These are the most common means of invasion, malware uses to sneak in undetected. Ransomware is no different. Odds are, you got stuck with MafiaWare, because you were careless when installing a tool or update. That’s why, caution is crucial. If you wish to keep an infection-free PC, always choose caution over carelessness. One leads to cyber threats, the other helps to avoid them. Always take the time to read the terms and conditions. And, never underestimate the power of due diligence. It goes a long way, and can save you countless troubles.

Why is MafiaWare dangerous?

MafiaWare is a spin-off of the Hidden Tear infection. It’s an updated version, based on that ransomware. And, that’s common practice with these infections. The newer ones use the old ones, let’s say, for ‘inspiration.’ That’s why the majority of ransomware are so alike. They, pretty much, share the same programming. They sneak into your system undetected. And, when they do, they strike. They encrypt everything. MafiaWare uses AES cryptography to lock every file, you keep on your PC. Pictures, documents, videos, music. All falls under its grip. You no longer have control of your data. The infection appends a special extension at the end of files, to further solidify its grasp. Say, you have a picture called ‘summer.jpg.’ Well, once MafiaWare has its way, you find it ‘summer.jpg.Locked-by-Mafia.’ And, that’s it. With the extension in place, you cannot access anything. Moving or renaming files does nothing. The only way to free them of the encryption is via key. And, you’ve guessed it! That key costs you. The MafiaWare ransomware leaves you a ransom note. It’s a READ_ME.txt file, you find on your Desktop. As well as in each affected folder, containing encrypted data. It’s a straightforward note that explains your predicament. It states your system got attacked by a ransomware, and gives you a way out. In a nutshell, pay up to free your files, or don’t and lose them. It may seem like a simple choice but it’s not. If you pay the ransom, you lose your privacy. Think about it. If you transfer the requested $155 in the Bitcoins, you provide private details. You leave your personal and financial information for the infection to find. And, what then? Cyber extortionists have your private life at their disposal. That’s not something, you’d want. Not to mention, that even if you comply to your fullest, you can still lose your data. You have no guarantees that payment earns you the proper response. Do you honestly believe cyber criminals to keep their word and honor their promises? Do you expect those extortionists to follow through on their end of the bargain? After you pay up, they can choose not to send you the decryption key. Or, send you the wrong one. And, even if you get the right one, what if the ransomware strikes again two hours later? Yes, the decryption key does not remove the infection, only the encryption. MafiaWare remains. Whichever way you look at it, you lose. You see that now, don’t you? So, do yourself a favor. Don’t get wrapped up playing a game, you’re set up to lose. Data is not the only thing on the table. It’s the lesser of two evils, so figure out your priorities, and act in accordance. Would you rather lose your files, or your privacy and maybe even also your files? Don’t take such risks.

MafiaWare Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover MafiaWare Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with MafiaWare encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate MafiaWare encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.