Magician RSWware - How to remove

Magician RSWware is the newest Hidden based crypto-malware. Just like the other Kypton, ScammerLocker, Sorry ransomware it uses an open source code and encrypts the files, later on asking for a 0.033 BTC (approx. $234 dollars) ransom from the victim to restore the locked files.

Magician RSWware ransomware

What is interesting about Magician RSWware crypto-virus is that, unlike other unacknowledged threats, cyber police showed a big interest in this ransomware, because of its Bitcoin wallet address related with ‘Silkroad’ darknet drug, weapon and other illegal item/service market, which was seized by the FBI in 2016. Yet there is still no available decryption tool, despite all the cybersecurity specialist interest, but 2-viruses.com team might help with that if you continue reading.

How to recognize the Magician RSWware

According to virustotal.com Magician is a truly dangerous virus that more than half trusted virus detection tools recognize as a malicious threat. First identification sign of this crypto-extortionist is the running ‘x1609y.exe’ file in the victims’ systems. 

Unfortunately, even if you have a very sophisticated antivirus software, you will notice the Magician virus only after the finalized setup. That means that ransomware will secretly run its processes in the background, searching for files it can lock, copying itself into the registry and you won’t know about it. After the infection will be complete Magician parasite will present itself in a ‘README.txt’ text file left on the desktop and majority of files locked and marked with an extension.

The ransom ‘README.txt’ note says:

Feel the Wrath of the Magician
Now make me rich!
Send 0.033 BTC to 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
Use any service for sending the bitcoin
Also, please email me after you have completed payment with your bitcoin address: [email protected]

Other than that the infected computer should be working properly unless together with this ransomware other viruses came along too. Then you won’t even be unable to access the encrypted documents, pictures and etc, but your system will be working slow and crashing, you might experience a lot of intrusive ads, pop-ups, random installations and etc.

What does the Magician do to your computer

Right after getting into your system Magician has a lot on its plate until it can start asking for a ransom. Once executed this crypto-ransomware has to copy itself into a secure directory and disable any antivirus, firewall so that the computer’s protection won’t interfere with the further actions. At the same time Magician infects the registry for the persistence so that it could appear every time the system restarts.

Then, as coded, Magician virus starts scanning and looking for potential target files, usually pictures, document, audio, video type of data, at the same time avoiding program files and windows directories. The reason behind it is that it keeps the system working properly, allows victims to get Bitcoins, and increase the probability to get a ransom since the locked files are usually most precious to the user and easier to blackmail with.

Magician encrypts these files using https://searchsecurity.techtarget.com/definition/Advanced-Encryption-Standard and RSA4096 ciphers by taking a certain part of the file’s bytes, shuffling them and using it to generate a unique decryption key. Once the encryption is finished and the files have been compromised Magician crypto-infection drops a text file on the desktop which is a ransom note asking for money or else locked files or the decryption key will be will be deleted forever.

How Magician RSWware distributes

The distribution, despite it being a separate virus, is still the same as any other ransomware. You can download the virus with a consent or become a victim involuntarily. It can be an accidental click on a redirecting advertisement that initiates the virus download, but also the download of infected software, unsafe RDP configuration, fake update, or most often as a phishing scam.

A ‘phishing scam‘ is a fraudulent email that includes infected attachments or hyperlinks to malicious websites, initiating download of various threats like keyloggers, bots, trojans, backdoors and ransomware like Magician RSWware, Just one click on a link and Magician immediately rushes to your system to make his dark performance and lock your personal files. More on Phishing.

How to remove Magician from your PC

Fixing the Magician RSWware ransomware caused damage can be really complicated because these type of viruses don’t just make little changes in the system, on the contrary, they really do encrypt the files using the difficult ciphers, some so complicated that there are no decryptors and some that manage to delete the shadow copies of the files they lock. More about shadow copies on . Since ignorance of the law excuses no one, we advise you to read our article on how to protect yourself from the further ransomware infection.

So what can you actually do if the Magician malware is already on your computer? We can’t promise you that you’ll be able to recover all of your files, but it is better to try rather than pay the ransom. No matter what further method you will choose, just make sure to remove Magician RSWware first before taking any other steps.

In order to remove the crypto-malware completely, the best idea is to use the automatic anti-spyware removal tool. Here is the Heimdal on how anti-malware software is different than the antivirus. In this case Spyhunter and Malwarebytes would be the most efficient deleting not only the Magician virus but also any other threat that might have bypassed your PC’s security.

Only after the full PC cleanse from the parasites, knowing that the crooks won’t be preventing you from fixing your system or downloading the same virus back to your computer, you can start working on the encrypted file recovery. If you have the backups of the files (it’s pretty rare), you can follow the system restore guide here, otherwise, you should try recovering previous versions of locked documents, photos, videos from the shadow copies, as we will be explaining below.

Recover the Magician encrypted files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point in time when the system restore snapshot was created. Usually, Magician RSWware tries to delete all possible Shadow Volume Copies, so this method may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

shadow restore copy

b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

step2 shadow copy restore

Note: In many cases, it is impossible to restore data files affected by modern ransomware. Thus we recommend using decent cloud backup software as a precaution, like Carbonite, BackBlaze, CrashPlan or Mozy Home.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

Leave a Reply

Your email address will not be published. Required fields are marked *