Foqe ransomware is file-encrypting malware from the STOP/Djvu ransomware family. Can be differentiated from other versions by the .foqe extension added to encrypted files. Also drops the _readme.txt ransom note.
Foqe ransomware, also known as Foqe file-encrypting malware, comes from the STOP/Djvu ransomware family. The gang behind Djvu malware family have released more than 200 versions of ransomware, and continue to do so on a regular basis. Foqe ransomware is the latest one, and it’s more or less identical to the majority of its predecessors. It encrypts files, adds the .foqe extension to encrypted files, and drops a _readme.txt ransom note.
Users will not be able to open the encrypted files until they are decrypted with a special tool cyber criminals will try to sell victims. The price for the decryptor is $980, though victims who contact cyber criminals within the first 72 hours will supposedly receive a 50% discount. The decryptor price remains the same for all versions of Djvu. However, paying the ransom is not recommended for a couple of reasons. First of all, paying the ransom only encourages cyber criminals to continue their malicious activities. As long as users continue to pay the ransom because they don’t have backup, ransomware will remain a widespread issue. Second, cyber criminals might not necessarily send the decryptor after users pay. Countless users in the past have not received decryptors after paying and users should be aware of the risk.
Currently, the only way to recover files is via backup. If users have backed up files prior to infection, they can access the backup as soon as they remove Foqe ransomware. For those who don’t have backup, there aren’t many options left. An option is to back up the encrypted files and wait for a free decryptor to be released. Emsisoft has released a free decryptor for older versions of Djvu but it does not work for newer versions because they use online keys to encrypt files. However, while it’s not extremely likely, a free decryptor may be released some time in the future, so users won’t lose anything by backing up the encrypted files.
However, we should warn users that there are plenty of fake decryptors out there, some of which could even be malicious. Victims should not download random decryptors they come across, and only trust Emsisoft, other anti-virus vendors, NoMoreRansom, as well as malware researchers to provide safe decryptors.
Ransomware distribution methods
If a computer becomes infected with ransomware, it’s often because users have bad browsing habits, such as downloading torrents to pirate content, clicking on ads while on high-risk websites, and opening spam email attachments without checking that they’re safe.
Torrents are one of the most common ways users infect their computer with malware. Torrents for popular copyrighted content are often riddled with malware, which users unknowingly allow into their computers when they download an infected torrent. This happens because torrent sites and forums are not properly regulated, which allows cyber crooks to easily hide malware in torrents for popular movies, TV shows, games and software. The less users torrent, the less of a risk for an infection.
But ransomware can also be spread via spam emails. The malware may come as an attachment, which if opened would trigger it. Users are always warned to be very careful when dealing with unsolicited emails that come with attachments, as they could easily be malicious. Though malicious emails are fairly obvious in many cases. They are often full of grammar and spelling mistakes, and just generally seem off. They’re also often sent from random-looking email addresses, while senders claim to be from known companies/organizations. As a precaution, we suggest users always scan unsolicited email attachments with anti-malware software or VirusTotal before opening them.
Is it possible to decrypt Foqe ransomware files?
When the ransomware is initiated, it will encrypt files that users are usually the most willing to pay for. That includes photos, videos, documents, etc. Users will know which files have have been encrypted from the .foqe extension added to them, hence why this malware is known as Foqe ransomware. Once all files have been encrypted, the ransomware will drop a _readme.txt ransom note. The ransom note is practically identical to the ones dropped by other Djvu ransomware versions. It explains that files have been encrypted and demands that users pay $980 in ransom to get the decryptor. Though according to the note, users who send an email to email@example.com or firstname.lastname@example.org will receive a 50% discount and would thus need to pay $490.
Here is the full ransom note dropped by Foqe ransomware:
Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
As we already mentioned, paying the ransom is not a great idea. But in the end, it’s up to the users themselves, though they should be aware of the risks as they may not necessarily get a decryptor after paying.
Foqe ransomware removal
Anti-malware programs detect and remove Foqe ransomware, so users should use them instead of trying to do it manually. In fact, users trying manual Foqe ransomware removal could end up doing even more damage.
Once the ransomware is no longer present, users can start file recovery via backup. If the ransomware remains when users access their backup, those files may become encrypted as well.