foop

[Content by Gemini 2.5]

foop Ransomware – Community Resource Sheet

(Last updated: 24 June 2025)

1. Technical Breakdown

File Extension & Renaming Patterns

  • Confirmation of file extension: .foop (lower-case 4-letter suffix)
  • Renaming convention:
    Victim file picture.jpgpicture.jpg.foop
    No e-mail, ID-string, or random bytes are inserted; the original name and first extension are preserved, only the new suffix is appended.

Detection & Outbreak Timeline

  • First public sensor hit: 2020-07-16 (ID-Ransomware & C2 upload)
  • Peak activity waves: July–October 2020, scattered re-activation in 2021–2022 (usually after large-scale phishing runs)
  • Current status (2024-2025): Distribution practically zero – considered “retired / superseded” by the Djvu/STOP affiliate pool.

Primary Attack Vectors

  1. Malvertising & fake software cracks (KMS, game cheats, Adobe “patcher” torrents) – #1 entry historically
  2. Phishing e-mail with ISO/IMG attachment (bypasses Mark-of-the-Web) – #2 entry
  3. Rig exploit kit (obsolete) and SocGholish fake-browser-update chains (rare)
  4. NO worm-like spread; no RDP brute-force; no supply-chain compromise.
  5. Payload delivered via obfuscated InnoSetup packer or NSIS stub; first-stage often is a Djvu dropper that pulls “foop” build from a hard-coded CC (185.234.x.x range, currently sink-holed).

N.B. foop is a member of the Djvu/STOP ransomware family. Every new month the gang cycles the extension; foop was the July-2020 variant and shares 99% of code with other “t1” branches (redl, lucm, npsk, etc.).

2. Remediation & Recovery Strategies

A. Prevention

  • Install applications only from official sources – cracks are the #1 trojan source for Djvu/foop
  • Disable Windows Script Host if not required – stops most Djvu JavaScript downloaders cold
  • SysAdmin: migrate to Office 365/Microsoft 365 with Safe-Attachments; blocks the ISO-phishing mails at the gateway
  • Patch browsers/PDF viewers; SocGholish chains abuse CVE-2021-40444, CVE-2022-41091
  • Offline backups (3-2-1 rule) – the only reliable counter against any offline-key Djvu build.
  • Application allow-listing (WDAC/AppLocker) – blocks all unsigned NSIS/Delphi droppers.
  • Disable SMBv1 only if you still run it (good general hygiene, but foop does NOT move laterally via SMB).

B. Removal (step-by-step)

  1. Physically disconnect the machine from network (pull Ethernet / disable Wi-Fi).
  2. Boot into Safe Mode with Networking.
  3. Run a reputable AV engine that detects Djvu/STOP (Microsoft Defender, Malwarebytes, ESET, Kaspersky – all have signatures “Ransom:Win32/Stop” or “Trojan-Ransom.Win32.Stop”).
  • Quarantine/delete every STOP-related component (usually %Temp%\[random].exe or %AppData%\svchost.exe).
  1. Delete the scheduled task called “Time Trigger Task” (created to re-launch the binary).
  2. Clean up the following persistence keys:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ “ALWCPEMGR”
  1. Reboot normally and re-run a full scan to confirm system is clean.
  2. BEFORE copying files back, update OS + 3rd-party software (see prevention).

C. File Decryption / Data Recovery

  • Offline-key infections (≈90% of foop cases) → No free decryptor possible; key only exists on criminals’ server
  • Same-key offline infections (the remaining ≈10%) → Emsisoft “STOPDecrypter” (now maintained by the author as “Djvu-Decrypter”) may work IF your victim-ID ends with ‘t1’ and the decrypter log says “Same key: ok”
  • Official download: https://www.emsisoft.com/decrypter/stop-djvu (check for newest build, 2023-08 or later)
  • Run it on an intact file pair (original + encrypted). The tool will brute-force the required key for that “same-key” subset only
  • Shadow-Copy / System-Restore: foop deletes them via vssadmin delete shadows /all – usually unsuccessful
  • Professional file-carving (PhotoRec, R-Studio) may rescue small files that happened to be resident on an SSD spare block before encryption – low success ratio.
    Bottom line: If the ID in the ransom note (_readme.txt) contains “t1” at the end you can TRY the Emsisoft decryptor; otherwise the only reliable path is restore from clean backups.

D. Essential Tools / Patches

  • Emsisoft Djvu-Decrypter (latest)
  • Microsoft patch CVE-2021-40444 (Sep-2021 cumulative update)
  • Microsoft Defender update v1.349.1+ (detects as “Ransom:Win32/Stop” family)
  • Malwarebytes v4.5+ (Ransom.STOP generic engine)
  • Windows 10/11 feature update that blocks ISO Execute-Feature (KB5012170, Aug-2022)
  • NCSC “Exercise in a Box” – tabletop for ISO-attachment phishing

E. Other Critical Information

  • Ransom note: default Djvu template _readme.txt demanding USD 980 (50% discount to 490$ if paid within 72 h), contact e-mails [email protected] / [email protected]
  • No exfiltration – foop does not steal data; no evidence of double extortion
  • No lateral movement – entirely user-context, no privilege escalation; damage limited to the profile that launched the crack/malvert
  • Decryptor sold by criminals works, but sending money funds later Djvu campaigns – restore from backup whenever possible
  • Several “foop-decrypt” scams circle YouTube/Telegram – they demand BTC for a “private key”. They only re-sell the free Emsisoft tool to victims whose files are decryptable anyway

Broader Impact & Key Take-aways

foop represents the archetype of consumer-targeting ransomware. Because it never elevated to domain-wide encryption, it rarely hits the headlines, yet it wrecked tens of thousands of home users and small offices during 2020. Its lasting legacy is lesson homework: pirated software remains the dominant on-ramp for commodity ransomware, and the Djvu crew proved that cycling extensions monthly keeps antivirus detection low enough to stay profitable. Block piracy, back-up daily, and Djvu/foop style threats fade into the history books.

Stay safe, patch early, and keep those backups offline!