Foop ransomware

Foop ransomware – the 213th version of the devastating Djvu virus

Foop ransomware
Foop ransomware is a file locking virus that mostly spreads via software cracks

Foop ransomware
Foop ransomware is a file locking virus that mostly spreads via software cracks

Foop ransomware is file locking malware that was first spotted attacking users in the first half of March 2020.[1] It locks pictures, databases, music, videos, images, documents, and other data with the help of a sophisticated RSA encryption algorithm[2] and appends .foop extension to each. Users are informed via the ransom note _readme.txt that they need to pay $490/$980 ransom in Bitcoin in order to unlock their data.

Foop ransomware belongs to one of the most prominent malware families that target home users – Djvu/STOP. The attackers continually use software cracks to distribute the threat and infect hundreds of victims daily around the world. Unfortunately, the malware uses a unique key per victim in most cases, so recovering data without paying crooks is almost impossible. Luckily, those victims whose data was encrypted with an offline ID, they can decrypt .foop virus files with the help of decryptor tool from Emsisoft. You should not rush contacting hackers via the provided emails ([email protected][email protected]) before at least trying to recover the data by using other methods.

Name Foop ransomware
Type File locking virus, cryptomalware
Family Malware stems from the notorious Djvu/STOP ransomware family
Cipher While older Djvu variants used AES, all versions released after August 2019 use a secure RSA cipher
File extension All personal files located on the infected computer are appended with .foop extension; file example: picture.jpg.foop 
Ransom note  _readme.txt is dropped into every folder where the locked files are located, as well as the desktop
Contact  [email protected] and [email protected]
Ransom size  Threat actors ask for $490 in BTC. If the ransom is not paid within first 72 hours after infection, the sum doubles to $980 
File recovery  If the data was encrypted with an online key, retrieving data without backups or paying criminals is almost impossible, although some users might be lucky when using alternative methods we provide below. In case malware used offline ID, there is a high chance that Emsisoft’s decryptor can be successful in data recovery
Malware removal  The only secure way to terminate the infection is to scan the system with a reliable anti-malware software – we recommend SpyHunter 5Combo Cleaner or Malwarebytes 
System fix Ransomware can sometimes negatively affect Windows system files – it can cause program crashes, lag, random reboots, etc. IF you are suffering from these stability issues after you get rid of the infection, fix virus damage with repair tool Reimage Reimage Cleaner

Unlike many other file locking viruses, for its distribution, Foop ransomware authors mainly use pirated program installers and software cracks/keygens that they populate on the torrent and similar unsafe sites. While this intrusion can be stopped by being careful, most of the up-to-date anti-malware solutions could save victims from getting infected in the first place. It is important to note that Foop ransomware removal will not return files to their pre-infection state – this is the trait that makes it so devastating.

Prior to August 2019, Foop virus authors used a different encryption method that was not as secure and could sometimes be deciphered with tools like STOPDecrypter. Nevertheless, to prevent victims from recovering their data for free, threat actors improved their encryption algorithm, making the decryption tool useless. Luckily, security experts from Emsisoft managed to create a new decryptor that worked on all first 148 variants.

All the Djvu/STOP versions that are encrypted with RSA keys can no longer be decrypted, although those that were lucky enough and malware used an offline ID (the C&C server[3] was down, or the internet connection was unstable) still have a chance at free recovery with another tool form Emsisoft.

If nothing works, the only way is to copy the encrypted files over to an external drive of a cloud server, remove Foop ransomware from the infected machine, and then attempt alternative data recovery methods we provide below.

Foop ransomware virus
Foop ransomware is a type of malware that uses a sophisticated encryption algorithm to lock all data on the infected machine and then asks for ransom for its redemption possibility

Foop ransomware virus
Foop ransomware is a type of malware that uses a sophisticated encryption algorithm to lock all data on the infected machine and then asks for ransom for its redemption possibility

Foop ransomware can not only render your files useless but also infect you with other malware 

Foop virus targets computers running Windows explosively, and attacks both 32-bit and 64-bit operating systems, expanding the target audience even more. Typically, the main executable (which can be named as anything, .e.g., update.exe or 8d7c.tmp.exe) is placed into the %AppData% or %Temp% folder, where it starts the infection routine.

At this point, Foop ransomware will shut down Windows functions that would help users to recover their files – delete Shadow Volume Copies. Additionally, malware will also modify the registry to establish persistence, attempt to establish a connection via the HTTP requests, etc.

Foop ransomware can also include underlying traits that may not be that apparent for regular users straight away. Based on previous encounters, security researchers managed to find multiple different features of this malware:

  • Foop file virus may insert modules into Google Chrome, Mozilla Firefox, or MS Edge to steal sensitive information typed by victims. This data can later be sold on the dark web for profit.
  • The malware might deliver secondary payloads – previous various have been spotted delivering AZORult banking Trojan to the infected machine.[4]
  • It can modify Windows “hosts” file in order to prevent users from accessing security-related websites that could aid victims with recovery and Foop ransomware removal process.

After the necessary preparations are complete, Foop ransomware will begin the file encryption process during which users will be shown a fake Windows update pop-up. This method decreases the chances that victims would interrupt the encryption process after noticing that their computer resources are being used to their maximum capacity.

Finally, malware will drop the _readme.txt file that provides relevant information to victims. It reads:


Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:

Offering the “discount” and the “test decryption” is typical for malicious actors, as they are trying to make users believe that these guys can be trusted. Please be aware that Foop virus authors infected your machine without your permission and are perform cybercriminal activity, which is punishable by the law. Trusting these people is gambling your money – if you decide to pay, be aware that you can get scammed and be left without Foop ransomware decryptor, as well as your precious files.

If you had backups, you shouldn’t worry too much – simply get rid of Foop ransomware by scanning your machine with anti-malware software, fix virus damage with tools like Reimage Reimage Cleaner and then copy the data over.

Foop ransomware encrypted files
In case Foop ransomware used an offline ID to lock your files, you most likely will be able to recover them with the help of Emsisoft’s decryption tool

Foop ransomware encrypted files
In case Foop ransomware used an offline ID to lock your files, you most likely will be able to recover them with the help of Emsisoft’s decryption tool

Stay away from pirated software – it is not only illegal but can also cost you your files

Most of the Djvu ransomware victims tend not to talk about how they got infected with file-locking malware. Those users typically ignore cybersecurity experts’ advice and rely on software cracks, pirated program installers, cheats, and similar unsafe executables to acquire paid applications for free. However, most know that this activity is illegal and even punishable by law.

It is also important to note that unsafe websites that store such content are often riddled with malware, including ransomware. Some infection methods might not be as evident, however, as downloading and double-clicking the .exe file is not the only way to bring ransomware to the computer. For example, compromised sites might also host malicious ads based on JavaScript, which is launched automatically. If the system holds a web browser or another application that is not fully patched (has software vulnerabilities), the malware is downloaded and installed in the background without user interaction.

Of course, it is worth mentioning that malicious actors are always looking for new methods in order to expand their campaigns, so straying away from software cracks is not enough – you should also employ powerful anti-malware software, prepare backups regularly, not open spam email attachments, use strong passwords, enable ad-block, patch software on time, and overall be more cautious when browsing online.

Eliminate Foop ransomware correctly

Most probably, there are hardly any users who get infected with this or another ransomware repeatedly – mostly because the first encounter shoes them how devastating this type of malware can be. As we previously mentioned, Foop ransomware removal will not bring your files back – these two processes are independent of one another and should not be treated as one.

Thus, before you eliminate the Foop file virus, you should backup all the encrypted files (this is necessary if you have no working backups), or otherwise, they might become permanently corrupted, and even a working decryptor will not be able to help you. Then, scan your machine with powerful anti-malware software to eliminate all the malicious files, as well as secondary payloads that may be located on your machine.

Note, after you remove Foop ransomware, you should also access the following location on your machine and delete the “hosts” file in order to access security-related websites without restrictions:

  • C:\Windows\System32\drivers\etc\

Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove Foop using Safe Mode with Networking

In case of Foop ransomware virus interrupts your security software from performing a scan, access Safe Mode with Networking:

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Foop removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Foop using System Restore

System Restore may be useful when trying to get rid of the computer infection:

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Foop from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Foop, you can use several methods to restore them:

Data Recovery Pro method may be beneficial

Data Recovery Pro might be able to help you if you did not use your computer much after the infection occurred – the program may be able to extract at least some of your files from your hard drive.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Foop ransomware;
  • Restore them.

Make use of Windows Previous versions feature

This method can only be functional if the malware failed to get rid of Shadow Volume Copies from your system for some reason.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is another useful tool that may be able to help you decrypt files

Just as in the previous case, if Foop ransomware failed to delete automated backups, ShadowExplorer should have no troubles when recovering all your encrypted files.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Make use of Emsisoft’s decryption tool

Djvu ransomware is known to fail to contact its remote server sometimes and encrypt data with an offline key. In case somebody from victims pays the ransom, this key can be used for all the victims affected by the same variant. Thus, in cases Emsisoft’s decryptor does not work, although an offline ID was used to lock your files, you will have to wait till security researchers add the key for the Foop variant.

Additionally, you may also ask Dr.Web for help – the vendor offers decryption service for some file types, although it is not free.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Foop and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

This entry was posted on 2020-03-09 at 06:08 and is filed under Ransomware, Viruses.