Foop Ransomware

FOOP ransomware is one of the many iterations of the STOP Ransomware virus, a malware threat known for its vicious actions of encrypting files on an infected system and then making demands to restore the files through a ransom payment. This malicious encryption malware uses AES/RSA cryptography to modify files so they can’t be accessed by the users. The virus renames each file to have the ".FOOP" file extension and creates ransom notes, depositing them in infected folders and on the desktop.

Propagation and Encryption

There are various propagation methods that can be used in the spreading of ransomware threats. Mass spam email campaigns are among the most popular infection vectors when it comes to the distribution of data-locking Trojans. The fraudulent emails in question would often contain a fake message riddled with various social engineering techniques alongside a macro-laced attachment, usually a seemingly harmless document. These bogus emails often claim to originate from government bodies or reputable companies. However, if the user launches the attached file, they will grant the Foop Ransomware access to their computer. Torrent trackers, malvertising, and fake software updates are some of the other infection vectors that are commonly used by cybercriminals propagating file-locking Trojans. It is likely that the Foop Ransomware is designed to encrypt various types of files – documents, images, videos, audio files, databases, archives, spreadsheets, presentations, etc. This means that a big chunk, if not all, of your files, is likely to be affected by the Foop Ransomware. After the Foop Ransomware locks a file, the file's name will be altered because this Trojan appends a '.foop' extension to the names of the locked files. This means that a file called 'ivory-lash.mp3' will be renamed to 'ivory-lash.mp3.foop' after the Foop Ransomware locks it successfully.

The Ransom Note

The ransom note rendered by FOOP ransomware calls for the victim to contact the attackers who will then explain how to pay the ransom and restore their information. The ransom plays on users’ fear by suggesting that the ransom demand will be half as much ($490 compared to $980) if users respond within 72 hours of infection. What makes the FOOP ransomware particularly dangerous is that it opens the door to other ransomware and is known to install alongside the Azorult trojan.

How Does FOOP Ransomware Work?

FOOP comes from a surprisingly long line of viruses. Surprisingly, it is the 213th iteration of the DJVU ransomware. FOOP will use offline and online encryption methods alike to lock a victim’s computer. Like any virus, it spreads through malicious links and pirated software. Once someone executes the installation file the virus gets to work. It turns off security software, deletes Shadow Volume Copies, and does other things to hide itself.

The virus will eventually attempt to establish a connection to the Command and Control server where it obtains the online encryption key. If the virus is able to obtain this key it will use them on the files. Once files are encrypted the only safe way to access the files again is to use a data backup to restore their previous versions.

The virus isn’t perfect though. It may fail to establish the connection to the server. It has offline backups in case this happens. It will use an offline encryption key that is assigned to everyone involved with an offline attack. This means that the encryption key and decryption key will be the same for all of the victims. If one person paid the ransom they can share it with other victims, or give it to security researchers who can update their own tools to apply it automatically.

If your computer is affected by the FOOP virus then you need to take immediate steps to remove it. It puts your computer, files, and personal information at great risk and leaves you vulnerable to further attacks.

The FOOP Ransom Demand

As noted before, the ransomware drops a text file called _readme.txt in all folders on the computer that contain personal information, such as the Desktop, Downloads, and Documents folders. The ransom note tells victims that they shouldn’t worry as their files can be recovered, so long as they pay a ransom to the attacker.

The note says that the victim is able to test the decryptor if they want. They can do this by sending one of the encrypted files to the attacker, who will then decrypt the file and send it back to them. This is a common tactic used by cybercriminals to make victims believe them.

It’s always good to avoid paying the ransom with these kinds of things. Not only is there no guarantee that your files will even be recovered, but it’s also generally not a good idea to give in to their demands. You don’t want to give them money and support their continued efforts to infect other computers.