11/05/2016
18:20

Saraswati CryptoEncoder ransomware from India to encrypt and rename all you files!


This new variant of the CryptoEncoder family takes its name from the Indian goddess Saraswati. Encrypted files will have the extension changed to .id-????????.{mahasaraswati@india.com}.xtbl.

TG Soft's Research Centre (C.R.A.M.) has acknowledged a new variant of the CryptoEncoder ransomware family which displays images of the Indian goddess Saraswati.

This cryptomalware encrypts document files (such as .txt, .doc, .ppt, .mdb, .xls, etc) and .exe files alike, and renamed them adding the extension:
.id-????????.{mahasaraswati@india.com}.xtbl
where ???????? is the hexadecimal victim's identification code.

In order to have the files decrypted, one must send a request via email to: mahasaraswati@india{dot}com.
 

INDICE

==> How Saraswati CryptoEncoder works
 
==> The ransom demanded by Saraswati CryptoEncoder

==> How to stay safe from Saraswati CryptoEncoder

==> How to minimize Saraswati CryptoEncoder damage

==> Can I recover the encrypted files?

==> Final thoughts

 

How Saraswati CryptoEncoder works

The means of distribution of the Trojan.Win32.CryptoEncoder Saraswati are unknown, probably it is spread via tainted websites whose vulnerabilites in Java, Adobe Flash Player and Adobe Reader have been exploited.

Trojan.Win32.CryptoEncoder Saraswati comes in the form of an executable file, called saraswati.exe, which is copied inside the user's roaming folder: %user%\appdata\roaming\:
  • FILENAME: saraswati.exe
  • SIZE: 114688 byte
  • MD5: 67f54ddc01178bb5878fe14a567813fc
Name of the project file found inside the cryptomalware: C:\crysis\Release\PDB\payload.pdb


The Saraswati CryptoEncoder encrypts document files (such as .doc, .xls. .ppt, .jpg, etc) and binary files (such as .exe, .dll, etc) alike, and adds to their name the extension:
".id-????????.{mahasaraswati@india.com}.xtbl".


Trojan.Win32.CryptoEncoder Saraswati autostarts itself adding the following Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[lttmrsuc] = %windir%\System32\Saraswati.exe


Istructions about how to pay the ransom are also automatically run after logging in:
%user%\Start Menu\Programs\Startup\Saraswati.exe
%user%
\Start Menu\Programs\Startup\How to decrypt your files.jpg
%user%
\Start Menu\Programs\Startup\How to decrypt your files.txt

On the user's desktop the following file is copied:
%user%\Desktop\How to decrypt your files.txt

On the user's folder the following file is copied:
%user%\How to decrypt your files.jpg

Back to top

The ransom demanded by Saraswati CryptoEncoder

In order to know the details about the ransom, one must send an email to mahasaraswati@india{dot}com, as stated in the instruction files.

At the end of the encryption process, the Saraswati CryptoEncoder creates two instruction files with the details on how to pay the ransom where it operated:
  • How to decrypt your files.txt
  • How to decrypt your files.jpg


To decrypt your data write me to mahasaraswati@india.com



We wrote an email to said address and the following is their reply.

Good morning, dear friend!

We are writing to inform you that our team of network security specialists has analyzed your system and has identified vulnerabilities in the protection.
We kindly draw your attention that defensive operation on your computer is not running properly and now the whole database is at risk.
All your files are encrypted and can not be accepted back without our professional help.
Obviously vulnerability analysis, troubleshooting, decoding the information and then ensuring safety are not a simple matter.
And so our high-grade and quick service is not free.

Please note that today the price of your files recovery is 3 Bitcoins, but next day it will cost 5 Bitcoins.
You should buy bitcoins here https://localbitcoins.com/faq
Read the paragraphs:
1. How to buy Bitcoins?
2. How do I send Bitcoins and how can I pay with Bitcoins after buying them?

The Bitcoin wallet for payment is 1DGMeKSALSkYGkedYDUgcvV8mP77WEGusQ
After the transfer of bitcoins please send email with screenshot of the payment page.
We does not advise you to lose time, because the price will encrese with each passing day.
As proof of our desire and readiness to help you, we can decipher a few of your files for test.
To check this you can upload any encrypted file on web site dropmefiles.com, size no more than 10 MB (only text file or a photo) and send us a download link.
Certainly after payment we guarantee prompt solution of the problem, decrypt the database to return to its former condition and consultation how to secure the rules of the system safety.

Kind regards, Saraswati.

Back to top

How to stay safe from Saraswati CryptoEncoder

The current version of Vir.IT eXplorer PRO's Anti-Ransomware (the heuristic-behavioural automaton) can already halt Saraswati CryptoEncoder in the early stages of the encryption.

It has been stated stated in our previous bulletins that Vir.IT eXplorer PRO's Anti-CryptoMalware module was able to stop these attacks saving up to 99.63% of files, allowing a complete recovery of encrypted files thanks to backup technologies, namely:
  • On-The-Fly Backup;
  • Vir.IT BackUp.
This only occurs if Vir.IT eXplorer PRO is:
  • correctly INSTALLED;
  • UP-TO-DATE;
  • properly CONFIGURED - Anti-Crypto Malware technology has to be active in the Settings tab of Vir.IT Security Monitor (it is active by default); plus Vir.IT BackUp has to be configured and running.
Back to top

How to minimize Saraswati CryptoEncoder damage

When the Alert shown in the picture pops up on the screen, Vir.IT eXplorer PRO's Anti-CryptoMalware module has come into action, halting the malware. Do not panic, do not close the alert and perform these operations:

  1. Make sure that Vir.IT eXplorer PRO is UP-TO-DATE and if not proceed to UPDATE it.
  2. UNPLUG ETHERNET and/or EVERY NETWORK CABLE - by doing this, the computer will be phisically isolated from the network, thus containing the attack inside just one machine.
  3. PERFORM a FULL SCAN using Vir.IT eXplorer PRO.
  4. DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption.
    In case of cryptomalware attack you should get in touch with Vir.IT eXplorer PRO's Tech Support as soon as possible. You can write an email to assistenza@viritpro.com, or call +39 049 631748 - +39 049 632750, Mon-Fri 8:30-12:30 and 14:30-18:30.
Anti-CryptoMalware protection
Show the picture fullscreen

99,63%*

Mean percentage of files protected from encryption thanks to Vir.IT eXplorer PRO


Can I recover the encrypted files?

With the Anti-CryptoMalware protection given by VirIT, the files encrypted by Saraswati CryptoEncoder rarely will exceed eight units.

Lost files will have to be replaced with backup copies. One can also try some existing tools to recover the encrypted files with the extension
.id-????????.{mahasaraswati@india.com}.xtbl.

In the analysis carried out by the Research Centre, shadow copies could not be recovered since they had been deleted by the ransomware.

Back to top

Final thoughts

In the eventuality of an ecryption, you could either:
  1. have Vir.IT eXplorer PRO installed, correctly set up, up-to-date and running on your pc - in this case, you must follow the instructions on the Alertmessage and you will manage to save AT LEAST 99.63% of your data;
  2. have a AntiVirus software that doesn't detect, signal and halt the ongoing encryption - in this case you still may want to
    • UNPLUG EVERY NETWORK CABLE.
    • LEAVE YOUR COMPUTER TURNED OFF in order to minimize the number or encrypted files.
    • Get in touch with a trusted technician support telling the criticity of the situation; you can also refer to this bulletin.
In the case #1, where thanks to Vir.IT eXplorer PRO and its Anti-Ransomware technologies you are almost totally sure to save up to 100% of your data from encryption, we strongly invite you to get in touch with TG Soft tech support.
In the case #2, we can only invite you to stay calm and seek for trusted tech support and consider buying a Vir.IT eXplorer PRO licence in order to prevent these attacks.

TG Soft
Anti-Malware Research Centre
 
Back to top
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: