Foop ransomware (Removal Instructions) - Bonus: Decryption Steps
Foop virus Removal Guide
What is Foop ransomware?
Foop ransomware – the 213th version of the devastating Djvu virus
Foop ransomware is a file locking virus that mostly spreads via software cracks
Foop ransomware is file locking malware that was first spotted attacking users in the first half of March 2020.[1] It locks pictures, databases, music, videos, images, documents, and other data with the help of a sophisticated RSA encryption algorithm[2] and appends .foop extension to each. Users are informed via the ransom note _readme.txt that they need to pay $490/$980 ransom in Bitcoin in order to unlock their data.
Foop ransomware belongs to one of the most prominent malware families that target home users – Djvu/STOP. The attackers continually use software cracks to distribute the threat and infect hundreds of victims daily around the world. Unfortunately, the malware uses a unique key per victim in most cases, so recovering data without paying crooks is almost impossible. Luckily, those victims whose data was encrypted with an offline ID, they can decrypt .foop virus files with the help of decryptor tool from Emsisoft. You should not rush contacting hackers via the provided emails (helpdatarestore@firemail.cc, helpmanager@mail.ch) before at least trying to recover the data by using other methods.
Name | Foop ransomware |
Type | File locking virus, cryptomalware |
Family | Malware stems from the notorious Djvu/STOP ransomware family |
Cipher | While older Djvu variants used AES, all versions released after August 2019 use a secure RSA cipher |
File extension | All personal files located on the infected computer are appended with .foop extension; file example: picture.jpg.foop |
Ransom note | _readme.txt is dropped into every folder where the locked files are located, as well as the desktop |
Contact | helpdatarestore@firemail.cc and helpmanager@mail.ch |
Ransom size | Threat actors ask for $490 in BTC. If the ransom is not paid within first 72 hours after infection, the sum doubles to $980 |
File recovery | If the data was encrypted with an online key, retrieving data without backups or paying criminals is almost impossible, although some users might be lucky when using alternative methods we provide below. In case malware used offline ID, there is a high chance that Emsisoft's decryptor can be successful in data recovery |
Malware removal | The only secure way to terminate the infection is to scan the system with a reliable anti-malware software – we recommend SpyHunter 5Combo Cleaner or Malwarebytes |
System fix | Ransomware can sometimes negatively affect Windows system files – it can cause program crashes, lag, random reboots, etc. IF you are suffering from these stability issues after you get rid of the infection, fix virus damage with repair tool FortectIntego |
Unlike many other file locking viruses, for its distribution, Foop ransomware authors mainly use pirated program installers and software cracks/keygens that they populate on the torrent and similar unsafe sites. While this intrusion can be stopped by being careful, most of the up-to-date anti-malware solutions could save victims from getting infected in the first place. It is important to note that Foop ransomware removal will not return files to their pre-infection state – this is the trait that makes it so devastating.
Prior to August 2019, Foop virus authors used a different encryption method that was not as secure and could sometimes be deciphered with tools like STOPDecrypter. Nevertheless, to prevent victims from recovering their data for free, threat actors improved their encryption algorithm, making the decryption tool useless. Luckily, security experts from Emsisoft managed to create a new decryptor that worked on all first 148 variants.
All the Djvu/STOP versions that are encrypted with RSA keys can no longer be decrypted, although those that were lucky enough and malware used an offline ID (the C&C server[3] was down, or the internet connection was unstable) still have a chance at free recovery with another tool form Emsisoft.
If nothing works, the only way is to copy the encrypted files over to an external drive of a cloud server, remove Foop ransomware from the infected machine, and then attempt alternative data recovery methods we provide below.
Foop ransomware is a type of malware that uses a sophisticated encryption algorithm to lock all data on the infected machine and then asks for ransom for its redemption possibility
Foop ransomware can not only render your files useless but also infect you with other malware
Foop virus targets computers running Windows explosively, and attacks both 32-bit and 64-bit operating systems, expanding the target audience even more. Typically, the main executable (which can be named as anything, .e.g., update.exe or 8d7c.tmp.exe) is placed into the %AppData% or %Temp% folder, where it starts the infection routine.
At this point, Foop ransomware will shut down Windows functions that would help users to recover their files – delete Shadow Volume Copies. Additionally, malware will also modify the registry to establish persistence, attempt to establish a connection via the HTTP requests, etc.
Foop ransomware can also include underlying traits that may not be that apparent for regular users straight away. Based on previous encounters, security researchers managed to find multiple different features of this malware:
- Foop file virus may insert modules into Google Chrome, Mozilla Firefox, or MS Edge to steal sensitive information typed by victims. This data can later be sold on the dark web for profit.
- The malware might deliver secondary payloads – previous various have been spotted delivering AZORult banking Trojan to the infected machine.[4]
- It can modify Windows “hosts” file in order to prevent users from accessing security-related websites that could aid victims with recovery and Foop ransomware removal process.
After the necessary preparations are complete, Foop ransomware will begin the file encryption process during which users will be shown a fake Windows update pop-up. This method decreases the chances that victims would interrupt the encryption process after noticing that their computer resources are being used to their maximum capacity.
Finally, malware will drop the _readme.txt file that provides relevant information to victims. It reads:
ATTENTION!
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-7m8Wr997Sf
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:
helpdatarestore@firemail.ccReserve e-mail address to contact us:
helpmanager@mail.chYour personal ID:
Offering the “discount” and the “test decryption” is typical for malicious actors, as they are trying to make users believe that these guys can be trusted. Please be aware that Foop virus authors infected your machine without your permission and are perform cybercriminal activity, which is punishable by the law. Trusting these people is gambling your money – if you decide to pay, be aware that you can get scammed and be left without Foop ransomware decryptor, as well as your precious files.
If you had backups, you shouldn't worry too much – simply get rid of Foop ransomware by scanning your machine with anti-malware software, fix virus damage with tools like FortectIntego and then copy the data over.
In case Foop ransomware used an offline ID to lock your files, you most likely will be able to recover them with the help of Emsisoft's decryption tool
Stay away from pirated software – it is not only illegal but can also cost you your files
Most of the Djvu ransomware victims tend not to talk about how they got infected with file-locking malware. Those users typically ignore cybersecurity experts' advice and rely on software cracks, pirated program installers, cheats, and similar unsafe executables to acquire paid applications for free. However, most know that this activity is illegal and even punishable by law.
It is also important to note that unsafe websites that store such content are often riddled with malware, including ransomware. Some infection methods might not be as evident, however, as downloading and double-clicking the .exe file is not the only way to bring ransomware to the computer. For example, compromised sites might also host malicious ads based on JavaScript, which is launched automatically. If the system holds a web browser or another application that is not fully patched (has software vulnerabilities), the malware is downloaded and installed in the background without user interaction.
Of course, it is worth mentioning that malicious actors are always looking for new methods in order to expand their campaigns, so straying away from software cracks is not enough – you should also employ powerful anti-malware software, prepare backups regularly, not open spam email attachments, use strong passwords, enable ad-block, patch software on time, and overall be more cautious when browsing online.
Eliminate Foop ransomware correctly
Most probably, there are hardly any users who get infected with this or another ransomware repeatedly – mostly because the first encounter shoes them how devastating this type of malware can be. As we previously mentioned, Foop ransomware removal will not bring your files back – these two processes are independent of one another and should not be treated as one.
Thus, before you eliminate the Foop file virus, you should backup all the encrypted files (this is necessary if you have no working backups), or otherwise, they might become permanently corrupted, and even a working decryptor will not be able to help you. Then, scan your machine with powerful anti-malware software to eliminate all the malicious files, as well as secondary payloads that may be located on your machine.
Note, after you remove Foop ransomware, you should also access the following location on your machine and delete the “hosts” file in order to access security-related websites without restrictions:
- C:\Windows\System32\drivers\etc\
Getting rid of Foop virus. Follow these steps
Manual removal using Safe Mode
In case of Foop ransomware virus interrupts your security software from performing a scan, access Safe Mode with Networking:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove Foop using System Restore
System Restore may be useful when trying to get rid of the computer infection:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Foop. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Foop from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by Foop, you can use several methods to restore them:
Data Recovery Pro method may be beneficial
Data Recovery Pro might be able to help you if you did not use your computer much after the infection occurred – the program may be able to extract at least some of your files from your hard drive.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Foop ransomware;
- Restore them.
Make use of Windows Previous versions feature
This method can only be functional if the malware failed to get rid of Shadow Volume Copies from your system for some reason.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer is another useful tool that may be able to help you decrypt files
Just as in the previous case, if Foop ransomware failed to delete automated backups, ShadowExplorer should have no troubles when recovering all your encrypted files.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Make use of Emsisoft's decryption tool
Djvu ransomware is known to fail to contact its remote server sometimes and encrypt data with an offline key. In case somebody from victims pays the ransom, this key can be used for all the victims affected by the same variant. Thus, in cases Emsisoft's decryptor does not work, although an offline ID was used to lock your files, you will have to wait till security researchers add the key for the Foop variant.
Additionally, you may also ask Dr.Web for help – the vendor offers decryption service for some file types, although it is not free.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Foop and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.
- ^ #STOP #Djvu #Ransomware w/ extension ".foop" (v0213). Twitter. Social Network.
- ^ RSA (cryptosystem). Wikipedia. The free encyclopedia.
- ^ Command and Control [C&C] Server. Trend Micro. Security blog.
- ^ David Bisson. STOP Ransomware Variant Installing Azorult Infostealer. Tripwire. The State of Security.