Booa ransomware (Virus Removal Instructions) - Decryption Methods Included

by Olivia Morelli - - 2020-12-15 | Type: Ransomware

Booa virus Removal Guide

Description Quick solution Instructions Prevention

What is Booa ransomware?

Booa ransomware – a file-locking computer virus that tries to extort cryptocurrency for a decryption tool

Booa ransomware Booa ransomware is a data-locking computer infection that asks for $980/$490 in return for a decryption tool

Booa ransomware is a cryptovirus that encrypts all files on a victim's computer as soon as it infects it and demands a ransom for a tool that would supposedly unlock the data. This file-locking parasite derives from the Djvu ransomware family, and as all of its members, for instance, Nobu, Igdm, Weui, and others, it encrypts only personal data and leaves the system files untouched.

During the encryption, the virus appends all personal victim files, such as documents, archives, backups, pictures, etc., with .booa extension, thus making them inaccessible until some sort of a decryption tool is used to unlock them. All of the latest Djvu family members use a secure RSA-2048^[1] coding algorithm to lock the files (despite this, a limited number of victims who have their data locked with an offline ID have a chance to decrypt it successfully with Emsisoft's decryption tool).

As soon as the virus is done with the first part of its bidding, it creates ransom notes, named _readme.txt, and places them in every folder that contains locked files so that the victim of the cyberattack would find the messages from the perpetrators literally wherever they look.

One more similarity between all of the cryptoviruses from this lineage is that the cybercriminals' contact emails rarely changes. The creators of the .Booa virus would like to be contacted via either of these two emails – helpmanager@mail.ch and restoremanager@airmail.cc.

Name	Booa ransomware, .booa file virus
type	Ransomware, cryptovirus
Family	Djvu ransomware
Appended file extension	.booa extension is appended to all non-system files on an infected computer
Ransom note	_readme.txt are created and spread all over the infected device
Ransom amount	The regular price for the decryption tool is $980, but if victims contact the criminals within 72 hours of the attack, a 50% discount is offered, lowering the price to $490
Criminal contact Details	Cybercriminals provide two emails to reach them – helpmanager@mail.ch and restoremanager@airmail.cc.
Virus removal	The elimination should be done with reliable anti-malware software to make sure that the virus and all its components are completely eliminated
System health	Powerful system repair tools like the FortectIntego app should be used to correct any discrepancies that the cryptovirus might have done to the system settings

Practically all ransomware creates some sort of ransom notes. Some change the desktop wallpaper, some generate pop-up windows. Within these notes, the cybercriminals state their demands and instruction for the victims. The same goes for Booa ransomware virus ransom notes.

The perpetrators start by stating that all personal files on the infected computer were encrypted and that the only way to unlock them is by purchasing a decryption tool from the assailants. In most cases, that might be true, but keep reading to find out alternative decryption methods.

To convince the victims that the necessary tool really exists, the Booa virus creators offer to send them one encrypted file from the infected device, and they would decrypt it for free. Furthermore, they are providing a link to the victims so that they could see the decryption tool in action with their own eyes.

To put it in simple terms, the cybercriminals are trying their best to prove to their victims that their locked data decryption is possible, and they would really send the necessary tools, although it will cost them. The original ransom amount is $980, but if the victims are quick and contact the assailants within 72 hours of the cyberattack, then the criminals would apply a 50% discount to the ransom, lowering the price to $490.

Booa ransomware is a variant of a well-established family known as Djvu

Usually, the last part of ransom notes consists of threats not to rename the encrypted files or use any third-party description software because that could make the data irretrievable. Developers of this ransomware don't threaten their victims. They just provide them with an appointed unique user ID and two email addresses to establish contact.

We always advise our readers not to contact the criminals as that may lead to a lose-lose situation where the victims lose their data and their hard-earned money. Instead, victims of this cyber attack should concentrate on Booa ransomware removal and look for other ways to recover their files.

We recommend using trustworthy anti-malware software like SpyHunter 5Combo Cleaner or Malwarebytes to automatically remove Booa virus with all of its pieces from the infected devices. Reliable anti-virus application is a must these days because of thousands of various computer viruses are lurking on the internet.

As soon as the virus is eliminated, we suggest using a system repair tool like the FortectIntego app to perform a full system scan and restore any damage that the cryptovirus might have wreaked to the system settings, such as the system registry and its files.

Cybercriminals send this message to their victims with the Booa file virus ransom note:

Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-EtT4dX8q3X
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

Most common method Djvu ransomware distribution method and how to avoid it

Ransomware is one of the most devastating computer infections in the wild, as its file encryption function might result in a complete personal file loss – it's a nightmare for the owners of the infected devices. While there are many different ways that cybercriminals can use to deliver malware to the victims, this strain is usually picking a single distribution method.

Our research suggests that Djvu family ransomware is mainly spread using file-sharing platforms, and to be even more specific – torrent websites that host pirated program installers and software cracks. Cybercriminals upload their creations named as popular game cracks^[2], fake licensed software, and alike.

When a user decides to download such a torrent, the ransomware payload file is downloaded with it, and the encryption of the device starts within minutes. So please refrain from using such sites no matter how tempting some torrents might be. Support software developers by purchasing their products directly from them.

.booa virus files recovery is likely to be difficult without backups

Users are often shocked after realizing that all the data on their computer is inaccessible after a ransomware infection. Most of those infected never had to deal with crypto-malware before, so there are plenty of misconceptions about this threat, operation, and data recovery process. This is why many victims believe that they can recover .booa files as soon as they eliminate the malware from the system, although this couldn't be further from the truth – files will remain locked even after this process is performed successfully.

Your best chance to restore .booa virus files without any difficulties is by using backups. Unfortunately, not many regular users use this essential practice, putting themselves into a very difficult situation once ransomware manages to break into their computers. Luckily, there might be a few other methods that could help some victims to restore at least some of their data.

Once malware performs the encryption process, it attempts to contact a remote server, which would automatically assign a unique user ID, which can later be used for the decryption process. Djvu variants are known to fail this process due to C&C servers being offline. In such a case, the malware uses a static ID, otherwise known as an offline ID, to lock all files on the system, which means that it is identical for all the users affected by this positive failure.

Using this flaw, security experts from Emsisoft managed to create a decryption tool that could help victims whose files were locked with an offline key. Therefore, you should definitely check the tool out – we provide the download links and all the relevant information below.

Other methods to recover .booa virus files are:

Using third-party data recovery software;
Using built-in Windows recovery tools, if they were not deleted by malware.

Keep in mind that the above-mentioned options have a low chance of success, but you should try them regardless. Paying criminals is never a good choice, although some victims might nothing else left. Having backups would solve all the problems, so make sure you prepare those as often as possible. Note that you should copy all the .booa virus files before attempting the recovery.

Once Booa ransomware encrypts files, the recovery without backups becomes very difficult

Guidelines for the Booa virus removal and system health check

All malware, including Booa virus, has to be deleted immediately. The best way to do it is with the help of dependable anti-malware software like Malwarebytes or SpyHunter 5Combo Cleaner. That way, the users can be sure that the cryptovirus and all of its elements are really gone. Note that you should copy all the important files if no backups are available to you before you use anti-malware software.

Unfortunately, Booa ransomware removal won't decrypt your files. But in no way should that stop you from eliminating it. There are other data recovery options (read our suggestions at the bottom of this article), so if you didn't keep backups, then copy all essential encrypted files to offline storage and wait for a decryption tool to be made available to the public.

Djvu family ransomware is known for making changes in the system registry and other key system settings, that, for example, wouldn't let its victims visit any cybersecurity type websites. So once you remove Booa ransomware, experts^[3] recommend performing a system tune-up with the FortectIntego or any other powerful system repair tool to undo all the changes.

Additionally, you should also navigate to the C:\Windows\System32\drivers\etc\ location on your machine and delete a file named “hosts,” as access to security-related websites will remain restricted otherwise. Windows will automatically recreate a new file, and you will be able to navigate to all the security-related websites once again.

Offer

do it now!

Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee

Compatible with Microsoft Windows Compatible with macOS

What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.

Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.

Download SpyHunter 5 Review »

Malwarebytes

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Download Combo Cleaner Review »

Getting rid of Booa virus. Follow these steps

Manual removal using Safe Mode

If the infection can't be removed in normal Windows mode, try doing it in Safe Mode with Networking

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment.

Windows 7 / Vista / XP

Click Start > Shutdown > Restart > OK.
When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

Right-click on Start button and select Settings.
Scroll down to pick Update & Security.
On the left side of the window, pick Recovery.
Now scroll down to find Advanced Startup section.
Click Restart now.
Select Troubleshoot.
Go to Advanced options.
Select Startup Settings.
Press Restart.
Now press 5 or click 5) Enable Safe Mode with Networking.

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
Click on More details.
Scroll down to Background processes section, and look for anything suspicious.
Right-click and select Open file location.
Go back to the process, right-click and pick End Task.
Delete the contents of the malicious folder.

Step 3. Check program Startup

Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
Go to Startup tab.
Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

Type in Disk Cleanup in Windows search and press Enter.
Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
Scroll through the Files to delete list and select the following:

Temporary Internet Files
Downloads
Recycle Bin
Temporary files
Pick Clean up system files.
You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

%AppData%
%LocalAppData%
%ProgramData%
%WinDir%

After you are finished, reboot the PC in normal mode.

Remove Booa using System Restore

Using System Restore to eliminate the threat

Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Command Prompt from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
1. Once the Command Prompt window shows up, enter cd restore and click Enter.
2. Now type rstrui.exe and press Enter again..
3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Booa. After doing that, click Next.
4. Now click Yes to start system restore.
Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Booa removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Booa from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Booa, you can use several methods to restore them:

Recover your data

Data Recovery Pro – a viable option for file recovery

This app might be able to recover .booa virus files.

Download Data Recovery Pro;
Follow the steps of Data Recovery Setup and install the program on your computer;
Launch it and scan your computer for files encrypted by Booa ransomware;
Restore them.

Using Windows Previous Version feature to restore data

With this Windows function, users might be able to bring back files to their previous versions.

Find an encrypted file you need to restore and right-click on it;
Select “Properties” and go to “Previous versions” tab;
Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Shadow Explorer could help recover old data

Shadow Explorer recovers data from Shadow Volume Copies. If the cryptovirus didn't delete them, then this app might be able to help with file recovery.

Download Shadow Explorer (http://shadowexplorer.com/);
Follow a Shadow Explorer Setup Wizard and install this application on your computer;
Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Possible decryption method

A company called Emisoft is trying to ease the burden of cyberattack victims by offering them a free decryption tool. Since this cryptovirus is brand new the decryption tool might not work, but you can still download it and give it a go. If it doesn't work get back to us as we update our readers with all the latest news.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Booa and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author

Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References

^ RSA (cryptosystem). Wikipedia. The free encyclopedia.
^ Georgina Torbet. 5 Security Reasons Not to Download Cracked Software. Makeuseof. Modern tech guide.
^ Losvirus. Losvirus. Spyware and security news.