What is Boop file (.Boop file extension)
.Boop file extension is an extension that is associated with a new variant (v0247) of dangerous ransomware called STOP (Djvu). Although ‘Boop’ variant was released recently, many users have already encountered a result of its malicious activity. It encrypts files located on the computer, and renames them appending .boop extension to their name. All encrypted files become useless, their contents cannot be read without decryption. The criminals behind this ransomware demand a ransom in exchange for a unique key and decryptor, which can decrypt the files and restore access to their contents. As we already reported above, Boop belongs to the STOP ransomware family, which means that you can use the free decryptor (Boop File Decrypt Tool) created by Emsisoft to decrypt the encrypted files. Even if the decryptor does not help, there are some alternative ways that can help restore the contents of the encrypted files. To learn more about decrypting files, simply scroll down to section ‘How to decrypt .Boop files’.
What is Boop ransomware
Boop ransomware is a new malware that belongs to the STOP ransomware family. It encrypts files using a strong encryption algorithm. The virus uses a long key to encrypt files. This key is unique for each victim, therefore it excludes the possibility of using the same key to decrypt files on different computers. In some cases, when the virus cannot establish a connection to its command server (C&C), it uses the so-called ‘offline key’. This key is the same for all victims. And most importantly, the security researchers have found a way to determine this key.
Boop does not encrypt absolutely all files, as it will cause the computer to stop working. Therefore, it skips and does not encrypt Windows system files as well as files with the name ‘_readme.txt’. All other files on the victim’s computer will be encrypted. It makes no difference where the files are located, on a hard drive or cloud storage. If at the time of the ransomware attack a disk was connected to the computer, then all the files on it can be encrypted. In addition to the fact that Boop virus does not matter where the files are located, it also does not matter what type of files they are. Files of all common types can be encrypted, including the following:
.erf, .zabw, .mdbackup, .wmv, .bsa, .desc, .bkp, .1, .t12, .wbz, .sav, .cr2, .3fr, .wmf, .p7c, .wsd, .zip, .itdb, .dazip, .dcr, .icxs, .wbk, .xxx, .sidd, .wgz, .sr2, .itm, .wotreplay, .xar, .wb2, .d3dbsp, .js, .mdb, .crw, .menu, .gho, .wmd, .wpg, .xdl, .pst, .avi, .pem, .blob, .odm, .ff, .xlsm, .wps, .rgss3a, .vfs0, .jpg, .wcf, .wsc, .mp4, .2bp, .odc, .wbc, .gdb, .dba, .rar, .cdr, .wbm, .y, .db0, .sum, .3ds, .ws, .xmmap, .ntl, .png, .crt, .mrwref, .xyp, .wps, .webp, .xwp, .cfr, .xld, .t13, .ods, .srw, .zdb, .ztmp, .hkx, .z3d, .jpe, .doc, .wn, .wpt, .kf, .z, .x3f, .wpe, .arch00, .indd, .dng, .mdf, .zw, .xdb, .xls, .wpb, .snx, .itl, .sie, .ybk, .cas, .wsh, .orf, .hplg, .psk, .docm, .x3f, .yal, .flv, .bc6, .zip, .zi, .x3d, .wma, .syncdb, .wpd, .wp5, .pak, .xbdoc, .kdc, .der, .wpw, .rtf, .raw, .epk, .xpm, .mlx, .vdf, .pfx, .slm, .sql, .wm, .wp, .wp7, .py, .das, .docx, .wmo, .pptm, .wbmp, .1st, .x, wallet, .fsh, .wpa, .ppt, .xy3, .wpd, .wire, .wot, .mef, .apk, .rw2, .iwd, .xf, .7z, .qic, .xml, .jpeg, .bar, .cer, .vpk, .sidn, .wma, .xlsm, .forge, .xlsb, .vcf, .sis, .ibank, .ysp, .upk, .kdb, .xll, .ai, .bc7, .fpk, .eps, .big, .pdf, .layout, .fos, .ltx, .bik, .dmp, .esm, .xmind, .odp, .svg, .hvpl, .tor, .tax, .mov, .m3u, .litemod, .qdf, .psd, .mddata, .wdb, .0, .sid, .p7b, .ncf, .yml, .rwl, .rim, .m2, .xls, .vtf, .re4, .dxg, .lbf, .wav, .lrf, .zdc, .r3d, .zif, .p12, .odt, .m4a, .bay, .w3x, .mcmeta, .accdb, .lvl, .pkpass, .wmv, .rb, .pdd, .css, .pef, .odb, .xlsx, .vpp_pc, .xlsx, .mpqge, .wpl, .nrw, .sb, .csv, .wbd, .xyw, .pptx, .ptx, .raf, .dbf, .wp4, .hkdb, .xlk, .srf, .webdoc, .wri, .txt, .arw, .wp6, .map, .rofl, .iwi, .wdp, .xlgc, .bkf, .asset, .xbplate
When the process of encrypting the victim’s files is completed, all documents, databases, pictures and other files will be encrypted and thus the contents of these files will be locked. All encrypted files will receive a new name, which consists of their old name and the extension ‘.boop’ added to the right. This means literally the following, if the non-encrypted file had the name ‘document.docx’, then after encryption it will be called ‘document.docx.boop’. Boop virus places files called ‘_readme.txt’ in each folder where there is at least one encrypted file. The contents of such a file are shown in the image below.
This file contains a message from Boop authors. They inform the victim that the files on the computer were encrypted and offer him to buy a unique key and decryptor. According to them, this is the only way to decrypt files encrypted by the ransomware and thus restore access to their contents. The criminals demand $980 from the victim, but agree to take half the amount if the victim transfers it within 72 hours. Since the attackers understand that no one trusts their words, they offer the victim to decrypt one file for free. The main requirement for this file, it should be small and not contain important information. Nevertheless, all security experts warn victims of Boop virus; successful decryption of one file does not guarantee anything at all. There is no guarantee that payment of the ransom will become a way to decrypt the files encrypted by the ransomware.
Threat Summary
Name | Boop ransomware, Boop file virus |
Type | Ransomware, Crypto malware, File locker, Crypto virus, Filecoder |
Encrypted files extension | .boop |
Ransom note | _readme.txt |
Contact | helpmanager@mail.ch, restoremanager@airmail.cc |
Ransom amount | $490,$980 in Bitcoins |
Detection Names | Trojan.Win32.Stop.j!c, Win32:RansomX-gen [Ransom], Win32/Kryptik.HFRI, Trojan.TR/AD.InstaBot.fxkau, Trojan.MalPack.GS, Trojan-Ransom.Win32.Stop.pl, Trojan.Malware.300983.susgen, Trojan.Kryptik!1.CABF (CLOUD), Ransom_Stop.R002C0PHN20, W32.Malware.Gen |
Symptoms | Cannot open files stored on the computer. Your personal files have a wrong name, suffix or extension, or don’t look right when you open them. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Ransom note displayed on your desktop. |
Distribution ways | Spam or phishing emails that are created to get people to open an attachment or click on a link. Malicious downloads that happen without a user’s knowledge when they visit a compromised webpage. Social media, such as web-based instant messaging applications. USB sticks containing malware. |
Removal | Boop ransomware removal guide |
Decryption | Boop File Decrypt Tool |
Criminals do not lie, claiming that encrypted files cannot be decrypted without a key and decryptor. Security researchers confirm the words of the attackers said in the ransom demand message. The contents of the affected files are encrypted. But the files are not fully encrypted, but only the first 154kb of their contents. This can help the victims almost nothing, the only thing, since the files are not fully encrypted, the victim can restore files from large ZIP archives. It is enough to simply rename the encrypted file by removing the .boop extension and open this file in the archiver, after which simply extract the desired file from the archive.
How to remove Boop ransomware, Decrypt/Recover .boop files
If your files have been encrypted with .boop extension, then there is no need to despair. Fortunately, there are several ways to recover the contents of encrypted files, but before proceeding, you need to find and remove Boop virus, so that you stop the malicious actions of the ransomware. Below you will find detailed instructions that will demonstrate you how to remove Boop, how to use Boop File Decrypt Tool to decrypt files, and how to recover files if the decryptor did not help you. We advise you not to skip any steps, each of the steps is very important and must be completed by you. In order not to get confused and not miss an important point in the instructions, we recommend that you print this article or open it on your smartphone.
- How to remove Boop ransomware virus
- How to decrypt .boop files
- How to restore .boop files
- How to protect your PC from Boop ransomware
How to remove Boop ransomware virus
Before you start decrypting or recovering .boop files, you need to remove Boop ransomware and its autostart entries. This must be done since otherwise the ransomware may re-encrypt the restored files. You can stop the ransomware from working, as it is not difficult to do. Another option is to perform a full system scan using free malware removal tools capable of detecting and removing ransomware infection.
It is very important to scan the computer for malware, as security researchers found that spyware could be installed on the infected computer along with the Boop ransomware. Spyware is a very dangerous security threat as it is designed to steal the user’s personal information such as passwords, logins, contact details, etc. If you have any difficulty removing the Boop virus, then let us know in the comments, we will try to help you.
To remove Boop ransomware, follow the steps below:
- Kill the Boop ransomware process
- Disable the Boop ransomware Start-Up
- Delete the Boop ransomware Task
- Delete the Boop ransomware File
- Scan computer for malware
Kill the Boop ransomware process
Press CTRL, ALT, DEL keys together.
Click Task Manager. Select the “Processes” tab, look for something suspicious that is the Boop ransomware then right-click it and select “End Task” or “End Process” option. If your Task Manager does not open or the Windows reports “Task manager has been disabled by your administrator”, then follow the guide: How to Fix Task manager has been disabled by your administrator.
It is not difficult to detect a process related to the Boop ransomware. When looking for a malicious process, pay attention to the process icon and its name. Most often, this ransomware has a process name in the following format: 4-characters.tmp.exe or 4-characters.exe. For example: C5D0.tmp.exe, b3c0.tmp.exe, A78C.tmp.exe, cd32.exe. If you do not find a process with a similar name in the list of processes, then most likely the Boop ransomware has finished working. But keep in mind, if you do not remove the ransomware autostart entries, as demonstrated below, and do not delete its file, then after a while it may start again, and if it finds unencrypted files, immediately encrypt them.
Disable the Boop ransomware Start-Up
Select the “Start-Up” tab, look for something similar to the one shown in the example below, right click to it and select Disable.
Close Task Manager.
Delete the Boop ransomware Task
Type “Task Scheduler” in the search bar. Click Task Scheduler app in the search results. Click “Task Scheduler Library” in the left panel. On the right panel, right-click to “Time Trigger Task” and select Delete.
Close Task Scheduler.
Delete the Boop ransomware File
Run Task Manager and select the “Start-Up” tab. Right click to the Boop ransomware Start-Up entry and select Open File Location as shown below.
A directory containing one file will open in front of you, this file is the Boop ransomware. It needs to be removed. If you try to delete it immediately, then you will not succeed, since this file is protected from deletion.
To delete this file, you need to do the following. Right-click on the file, select Properties. In the window that opens, select Security tab. Next, click the Advanced button below. A window will open as shown in the following example.
Click Disable inheritance. In the Block inheritance dialog box that opens, select the first item (Convert inherited permissions…) as shown below.
In the Permission entries list, select “Deny Everyone”, click Remove button and then OK. Close the file properties window. You should now be able to remove the Boop ransomware File. Right-click on the file and select Delete.
Scan computer for malware
Zemana AntiMalware (ZAM) can locate all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Boop ransomware, you can easily and quickly remove it.
Download Zemana AntiMalware from the link below.
164107 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the downloading process is complete, close all windows on your PC. Further, open the install file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown in the figure below, press the “Yes” button.
It will display the “Setup wizard” that will help you install Zemana on the computer. Follow the prompts and do not make any changes to default settings.
Once setup is done successfully, Zemana Free will automatically start and you can see its main window similar to the one below.
Next, click the “Scan” button for checking your computer for the Boop ransomware, other malicious software, worms and trojans. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. While the tool is scanning, you can see count of objects and files has already scanned.
When the system scan is finished, Zemana will show a list of all items found by the scan. Review the report and then click “Next” button.
The Zemana Free will delete Boop crypto malware and other security threats and move the selected threats to the Quarantine. Once that process is complete, you may be prompted to reboot your computer.
In order to be 100% sure that the computer no longer has the Boop malware, we recommend using the Kaspersky virus removal tool (KVRT). It is a free removal tool that can scan your personal computer for a wide range of security threats such as ransomware, adware, spyware, potentially unwanted applications, trojans, worms as well as other malware. It will perform a deep scan of the PC including hard drives and Microsoft Windows registry. Once a malware is detected, it will help you to delete all detected threats from your system with a simple click.
Download Kaspersky virus removal tool (KVRT) from the following link.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is complete, double-click on the KVRT icon. Once initialization procedure is complete, you will see the KVRT screen as displayed below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool tool will start scanning the whole PC to find out the Boop crypto virus and other malware. This task can take some time, so please be patient. While the KVRT utility is scanning, you can see how many objects it has identified as being affected by malware.
After the scanning is done, KVRT will prepare a list of unwanted programs and crypto virus as shown below.
Make sure all items have ‘checkmark’ and click on Continue to start a cleaning procedure.
How to decrypt .boop files
Files with the extension ‘boop’ are encrypted files. To decrypt .boop files, you need to use a decryptor and a unique key. Fortunately, there is a free Boop File decrypt Tool that can decrypt the encrypted files. Boop File Decrypt Tool is compatible with all modern versions of the Windows OS and can decrypt files regardless of their size and type.
To decrypt .boop files, use Boop File decrypt Tool
- Download Boop File Decrypt Tool from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
Boop File Decrypt Tool is a free tool that allows everyone to decrypt .boop files for free. As we said above, the Boop ransomware can use two types of keys to encrypt files: online keys and offline keys. Emsisoft found a way to obtain offline keys, so at the moment the Boop File decrypt Tool can only decrypt files encrypted with offline keys. If the files are encrypted with an online key, then they cannot be decrypted yet, since only the authors of the ransomware have the encryption key.
This does not mean that if your files are encrypted with an online key, then their contents are lost forever. Fortunately, there are several ways to recover encrypted files. These methods do not involve the use of decryption and therefore can be used in any case, regardless of what type of key the files were encrypted.
How to find out which key was used to encrypt files
Below we show two ways to help you determine what type of key was used to encrypt your files. This is very important, since the type of key determines whether it is possible to decrypt .boop files. We recommend using the second method, as it is more accurate.
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the Boop virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Boop ransomware virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
Boop File Decrypt Tool : “No key for New Variant online ID”
If, when you try to decrypt .boop files, Boop File Decrypt Tool reports:
No key for New Variant online ID: *
Notice: this ID appears to be an online ID, decryption is impossible
It means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the boop authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.
Boop File Decrypt Tool : “No key for New Variant offline ID”
If, during decryption of .boop files, Boop File Decrypt Tool reports:
No key for New Variant offline ID: *t1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future.
It means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been obtained by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data.
If for some reason you were unable to decrypt the encrypted files, then We recommend to follow the news on our Facebook or YouTube channels. So you ‘ll know right away that it ‘s possible to decrypt .boop files.
This video step-by-step guide will demonstrate How to remove Boop ransomware and Decrypt/Recover .boop files.
How to restore .boop files
Fortunately, there are some alternative methods to recover encrypted files. Each of these methods does not require the use of a decryptor and a key, so these methods are suitable for every victim of the ransomware, regardless of the key used to encrypt the files. In addition, the use of these methods will not affect in any way the decryption of files using a free decoder. The only thing is that before you proceed with file recovery, be sure to check your computer for malware using free malware removal tools, you need to be 100% sure that the ransomware has been completely removed.
Use shadow copies to restore .boop files
A free utility called ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can restore photos, documents and music encrypted by the Boop crypto malware from Shadow Copies for free.
Please go to the link below to download ShadowExplorer. Save it to your Desktop so that you can access the file easily.
438811 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Double click ShadowExplorerPortable to run it. You will see the a window as displayed in the following example.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as shown on the screen below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as displayed on the screen below.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Use PhotoRec to recover .boop files
The last chance to restore encrypted files to their original state is using data recovery tools. We recommend a free tool called PhotoRec. It has all the necessary functions to restore the contents of encrypted files. It helped many victims recover data when it seemed like there was no more hope.
Download PhotoRec on your MS Windows Desktop from the link below.
When downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen like the one below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as displayed in the following example.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to select where restored photos, documents and music should be written, then press Search. We strongly recommend that you save the recovered files to an external drive.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as shown on the image below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your PC from Boop ransomware
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Click the following link to download HitmanPro.Alert. Save it on your Desktop.
Once downloading is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the utility is started, you will be displayed a window where you can select a level of protection, as shown in the figure below.
Now press the Install button to activate the protection.
To sum up
This guide was created to help all victims of Boop ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .boop files; how to recover files, if Boop File Decrypt Tool does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Boop ransomware related issues, go to here.
Thank you so much!
I could not figure out how to determine which key was used to encrypt my files. Can you help me, please?
if your ID ends in ‘t1’, then the files are encrypted with an offline key, in all other cases, the files are encrypted with an online key
my ID ends With t1 but still cant decrypt my files
to date, security researchers have not yet obtained the offline key, so you have to wait. We will let you know when decryption is possible, follow the news on our facebook channel.
How to remove Boop Ransomware from an external hard drive?