What is Foop file (.Foop file extension)
.Foop file extension is an extension that is associated with a new variant of dangerous ransomware called STOP (Djvu). Although ‘Foop’ variant was released recently, many users have already encountered a result of its malicious activity. It encrypts files located on the computer, and renames them adding .foop extension to their name. All encrypted files become useless, their contents cannot be read without decryption. The criminals behind this virus demand a ransom in exchange for a unique key and decryptor, which can decrypt the files and restore access to their contents. Fortunately for all victims, a free decryptor is available that can decrypt .foop files. Scroll down to learn more about this decryptor and all ways to recover encrypted files.
Screenshot of files encrypted by Foop virus (‘.foop’ file extension)
What is Foop virus
Foop virus is a new malware that belongs to the STOP ransomware family. It encrypts files using a strong encryption algorithm. The virus uses a long key to encrypt files. This key is unique for each victim, therefore it excludes the possibility of using the same key to decrypt files on different computers. In some cases, when the virus cannot establish a connection to its command server (C&C), it uses the so-called ‘offline key’. This key is the same for all victims. And most importantly, the security researchers have found a way to determine this key.
Foop does not encrypt absolutely all files, as it will cause the computer to stop working. Therefore, it skips and does not encrypt Windows system files as well as files with the name ‘_readme.txt’. All other files on the victim’s computer will be encrypted. It makes no difference where the files are located, on a hard drive or cloud storage. If at the time of the ransomware attack a disk was connected to the computer, then all the files on it can be encrypted. In addition to the fact that Foop virus does not matter where the files are located, it also does not matter what type of files they are. Files of all common types can be encrypted, including the following:
.sie, .iwi, .ai, .vdf, .wpe, .cr2, .wp6, .bc7, .cfr, .jpeg, .xll, .pem, .wbc, .epk, .wp5, .itl, .hvpl, .dxg, .mcmeta, .xlsb, .x3d, .wsc, .xbdoc, .x3f, .wgz, .wot, .dcr, .cdr, .xml, .rb, .wpd, .p7b, .xy3, .das, .wp4, .rtf, .layout, .flv, .wn, .sidd, .rw2, .fsh, .sav, .wbz, .py, .zip, .menu, .ztmp, .dmp, .xwp, .itdb, .x3f, .xdb, .iwd, .sidn, .wp, .wdb, .vtf, .xdl, .wmo, .tor, .xlsm, .zabw, .bkp, .pptx, .wp7, .raw, .bsa, .xlsm, .ptx, .vcf, .zi, .forge, .7z, .1st, .bc6, .qic, .map, .bkf, .slm, .zw, .png, .wpb, .gho, .xyp, .sum, .dazip, .hkdb, .ntl, .rar, .wps, .yal, .kf, .xlgc, .dbf, .gdb, .bar, .desc, .arch00, .bik, .3ds, .vfs0, .wav, .r3d, .crw, .big, .orf, .lvl, .mdbackup, .psd, .indd, .erf, .qdf, .eps, .wm, .pkpass, .1, .cas, .p7c, .3fr, .re4, .wps, .odp, .syncdb, .tax, .svg, .psk, .z3d, .3dm, .vpp_pc, .w3x, .xmmap, .ppt, .wbd, .doc, .der, .lrf, .txt, .sid, .pak, .docm, .blob, .fos, .pst, .sql, .m4a, .rwl, .m3u, .wpd, .zif, .wbk, .xbplate, .csv, .jpg, .wri, .wma, .mlx, .wb2, .wpl, .mp4, .xar, .avi, .wmv, .docx, .t12, .mdf, .xmind, .apk, .wmv, .css, .db0, .vpk, .0, wallet, .zdb, .zip, .m2, .xlsx, .odc, .wmd, .icxs, .odm, .wbmp, .mddata, .y, .mov, .xld, .z, .snx, .mdb, .litemod, .dng, .mrwref, .upk, .nrw, .ff, .sis, .wma, .pef, .js, .xx, .kdc, .dwg, .cer, .ysp, .raf, .2bp, .wotreplay, .webdoc, .bay, .wpw, .hkx, .xxx, .wbm, .zdc
When the process of encrypting the victim’s files is completed, all documents, databases, pictures and other files will be encrypted and thus the contents of these files will be locked. All encrypted files will receive a new name, which consists of their old name and the extension ‘.foop’ added to the right. This means literally the following, if the non-encrypted file had the name ‘document.docx’, then after encryption it will be called ‘document.docx.foop’. Foop virus places files called ‘_readme.txt’ in each folder where there is at least one encrypted file. The contents of such a file are shown in the image below.
Screenshot of the contents of ‘_readme.txt’ file (Foop ransom demand message)
This file contains a message from Foop authors. They inform the victim that the files on the computer were encrypted and offer him to buy a unique key and decryptor. According to them, this is the only way to decrypt files encrypted by the ransomware and thus restore access to their contents. The criminals demand $980 from the victim, but agree to take half the amount if the victim transfers it within 72 hours. Since the attackers understand that no one trusts their words, they offer the victim to decrypt one file for free. The main requirement for this file, it should be small and not contain important information. Nevertheless, all security experts warn victims of Foop virus; successful decryption of one file does not guarantee anything at all. There is no guarantee that payment of the ransom will become a way to decrypt the files encrypted by the ransomware.
Threat Summary
| Name | Foop |
| Type | Filecoder, Crypto virus, Crypto malware, File locker, Ransomware |
| Encrypted files extension | .foop |
| Ransom note | _readme.txt |
| Contact | helpdatarestore@firemail.cc, helpmanager@mail.ch |
| Ransom amount | $980,$490 in Bitcoins |
| Detection Names | Trojan/Win32.MalPe.R328033, Trojan.DownLoader33.12565, Win32/Kryptik.HBTH, Trojan.Win32.Crypt, Trojan-Ransom.Win32.Stop.la, Trojan.Win32.Stop.hekezf, Win32/Trojan.Ransom.304, Trojan.Win32.Z.Wacatac.829952 |
| Symptoms | When you try to open your file, Windows notifies that you do not have permission to open this file. All of your files have a odd file extension appended to the filenames. Files called like ‘_readme.txt’, ‘READ-ME’, ‘_open me’, _DECRYPT YOUR FILES’ or ‘_Your files have been encrypted” in every folder with an encrypted file. Ransom note displayed on your desktop. |
| Distribution methods | Malicious email attachments. Drive-by downloads (ransomware virus is able to infect the PC simply by visiting a webpage that is running malicious code). Social media posts (they can be used to trick users to download malicious software with a built-in ransomware downloader or click a misleading link). Adware. Torrents websites. |
| Removal | Foop virus removal guide |
| Decryption | Free Foop Decryptor |
Criminals do not lie, claiming that encrypted files cannot be decrypted without a key and decryptor. Security researchers confirm the words of the attackers said in the ransom demand message. The contents of the affected files are encrypted. But the files are not fully encrypted, but only the first 154kb of their contents. This can help the victims almost nothing, the only thing, since the files are not fully encrypted, the victim can restore files from large archives. It is enough to simply rename the encrypted file by removing the .foop extension and open this file in the archiver, after which simply extract the desired file from the archive.
Fortunately, there is a free decryptor that can decrypt .foop files. This decryptor has one limitation; it can decrypt files encrypted with an offline key. If files are encrypted with an online key, then they cannot be decrypted yet, since there is no way to determine this key. In the case when files are encrypted with an online key, the victim can use alternative methods that do not involve the use of a key and a decryptor. These methods for recovering encrypted files are described in section ‘How to restore .foop files’ below.
How to remove Foop ransomware virus
Attention, the first thing you should do is scan the infected computer for malware, find and remove Foop ransomware components. Do not try to immediately start decrypting files, skipping the first step, you risk losing all your files. To remove Foop ransomware virus, we recommend using free malware removal tools. Some of them, with brief instructions, are given below. If you have an antivirus, then perform a full scan using it, then use the tools listed below. Each of these tools can detect and remove various malware, including ransomware, but these tools cannot recover and decrypt files. To decrypt .foop files, you need to complete this step, and then go to step 2.
Use Zemana AntiMalware (ZAM) to remove Foop ransomware
Zemana Anti Malware can search for all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Foop crypto malware, you can easily and quickly remove it.
- First, please go to the link below, then press the ‘Download’ button in order to download the latest version of Zemana Free.
Zemana AntiMalware
164037 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- After downloading is finished, close all apps and windows on your PC system. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, press Next button and follow the prompts.
- Once installation is finished, press the “Scan” button to perform a system scan for the Foop ransomware virus, other malicious software, worms and trojans. This process may take some time, so please be patient. When a malware, adware or PUPs are detected, the number of the security threats will change accordingly.
- After Zemana AntiMalware has completed scanning, Zemana Anti Malware will display a screen which contains a list of malware that has been found. Review the results once the utility has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next”. Once finished, you may be prompted to reboot your machine.
Remove Foop with MalwareBytes Anti Malware (MBAM)
Manual Foop ransomware virus removal requires some computer skills. Some files and registry entries that created by the ransomware virus may be not completely removed. We recommend that use the MalwareBytes Anti-Malware that are completely free your system of crypto virus. Moreover, this free program will allow you to uninstall other malware, potentially unwanted apps, adware and trojans that your machine may be infected too.
MalwareBytes can be downloaded from the following link. Save it on your Desktop.
326391 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the downloading process is finished, run it and follow the prompts. Once installed, the MalwareBytes will try to update itself and when this task is done, click the “Scan Now” button to perform a system scan with this tool for the Foop ransomware and other security threats. This procedure may take some time, so please be patient. While the MalwareBytes tool is scanning, you can see how many objects it has identified as being infected by malware. All found items will be marked. You can delete them all by simply press “Quarantine Selected” button.
The MalwareBytes AntiMalware (MBAM) is a free application that you can use to uninstall all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal tool, we suggest you to read and follow the step-by-step guide or the video guide below.
If the problem with Foop ransomware is still remained
Kaspersky virus removal tool (KVRT) is a free removal tool that can be downloaded and use to remove crypto malware, adware, worms, PUPs, trojans and other security threats from your PC system. You can use this utility to detect threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your machine from the link below.
129060 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is finished, double-click on the KVRT icon. Once initialization process is complete, you’ll see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button . KVRT tool will start scanning the whole computer to find out Foop ransomware virus and other trojans and malicious software.
Once the scan get finished, Kaspersky virus removal tool will show a scan report as shown on the screen below.
Review the report and then press on Continue to begin a cleaning procedure.
How to decrypt .foop files
Files with the extension ‘foop’ are encrypted files. To decrypt .foop files, you need to use a decryptor and a unique key. Fortunately, there is a free decryptor that can decrypt the encrypted files. This decryptor is compatible with all modern versions of the Windows OS and can decrypt files regardless of their size and type.
STOP Djvu decryptor
To decrypt .foop files, use free STOP (foop) decryptor
- Download STOP (foop) decryptor from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
As we said above, Foop virus can use two types of keys to encrypt files: online keys and offline keys. Emsisoft company found a way to determine offline keys, so at the moment this decryptor can only decrypt files encrypted with offline keys. If the files are encrypted with an online key, then they cannot be decrypted yet, since only the authors of the ransomware have the encryption key.
This does not mean that if your files are encrypted with an online key, then their contents are lost forever. Fortunately, there are several ways to recover encrypted files. These methods do not involve the use of decryption and therefore can be used in any case, regardless of what type of key the files were encrypted.
How to find out which key was used to encrypt files
Below we show two ways to help you determine what type of key was used to encrypt your files. This is very important, since the type of key determines whether it is possible to decrypt .foop files. We recommend using the second method, as it is more accurate.
Personal ID is highlighted here
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the Foop virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Foop ransomware virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
What to do if STOP (Foop) decryptor says “No key for New Variant offline ID”
If during decryption of .foop files the decryptor reports No key for New Variant offline ID, then this means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data. It is impossible to say exactly when the ‘offline key’ will be determined. Sometimes it takes several days, sometimes more. We recommend that you try to decrypt .foop files from time to time. You can also use alternative ways listed below for recovering encrypted data.
What to do if STOP (Foop) decryptor says “No key for New Variant online ID”
If, when you try to decrypt .foop files, the decryptor reports No key for New Variant online ID, then this means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the Foop authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.
How to restore .foop files
Fortunately, there are some alternative ways to recover encrypted files. Each of them does not suggest the use of a decryptor and a key, so these methods will suit all victims regardless of which key Foop virus used to encrypt files. In addition, the use of these methods will not affect in any way the decryption of files using a free decoder. The only thing is that before you proceed with file recovery, be sure to check your computer for malware using free malware removal tools, you need to be 100% sure that the ransomware has been completely removed.
Recover .foop encrypted files using Shadow Explorer
A free utility called ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can restore photos, documents and music encrypted by Foop crypto malware from Shadow Copies for free.
First, visit the following page, then click the ‘Download’ button in order to download the latest version of ShadowExplorer.
438681 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is done, extract the downloaded file to a folder on your machine. This will create the necessary files like below.
Run the ShadowExplorerPortable application. Now select the date (2) that you want to recover from and the drive (1) you wish to recover files (folders) from as displayed on the screen below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and press the Export button as on the image below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Run PhotoRec to restore .foop files
The last chance to restore encrypted files to their original state is using data recovery tools. We recommend a free tool called PhotoRec. It has all the necessary functions to restore the contents of encrypted files. It helped many victims recover data when it seemed like there was no more hope.
Download PhotoRec on your machine by clicking on the link below.
When the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen like below.
Select a drive to recover as displayed on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as on the image below.
Click File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, click Browse button to select where recovered documents, photos and music should be written, then press Search.
Count of restored files is updated in real time. All recovered photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents like the one below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your machine from Foop crypto malware?
Most antivirus programs already have built-in protection system against the crypto malware. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows operating system from Microsoft Windows XP to Windows 10.
HitmanPro Alert can be downloaded from the following link. Save it on your Microsoft Windows desktop.
Once the download is finished, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the utility is started, you’ll be shown a window where you can choose a level of protection, as displayed on the image below.
Now press the Install button to activate the protection.
To sum up
This guide was created to help all victims of Foop ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .foop files; how to recover files, if STOP (Foop) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Foop related issues, go to here.
