Cyber Security Center

How to delete Booa ransomware


Booa ransomware is file-encrypting malware from the Djvu/STOP ransomware family. Can be differentiated by the .booa extension added to encrypted files. Drops the typical _readme.txt ransom note.

 

Booa ransom note

Booa ransomware comes from the notorious Djvu/STOP ransomware family, which has released hundreds of ransomware versions, including Igdm, Nobu, Weui, Lisp, Sglh, Epor, and Vvoa. This version adds the .booa file extension to encrypted files, hence why it’s known as Booa ransomware. Once files are encrypted, users will be unable to open them until they are decrypted. But to decrypt them users would need to obtain the decryptor, which the cyber crooks behind this ransomware will try to sell to users for $980. If victims contact the cyber crooks within 72 hours, the price would supposedly go down to $490. However, whatever the price may be, we don’t recommend paying. There is a big chance that a decryptor would not be sent to the victim, even if they pay, thus we feel it’s necessary to warn users that paying is risky. Countless users in the past have not received the decryptor, even after paying. Users should keep in mind that they are dealing with cyber crooks, meaning they will not necessarily feel obligated to send the decryptor.

Only users who have backup can currently recover files for free. If they first delete Booa ransomware from the computer, there should be no issues with recovering files. But users should keep in mind that if they don’t first get rid of the ransomware before accessing backup, backed up files would become encrypted.

We should also mention that malware researchers are sometimes able to release free decryptors to help users. However, this isn’t always possible. There is a free decryptor released by Emsisoft for older Djvu/STOP versions but it will not work on Booa or other new versions because they use online keys to encrypt files. That means that each victim’s files are encrypted with a unique key, and releasing a free decryptor that works for everyone is not possible without having those keys. However, it’s not impossible that law enforcement will catch the cyber crooks and release the keys, or that the crooks themselves will do that. Thus, users should back up encrypted files and occasionally check NoMoreRansom for a decryptor.

How does ransomware infect a computer?

Ransomware usually infects computers when users open malicious email attachments, use torrents to pirate content, click on malicious ads when on high-risk websites, etc. Essentially, it’s users’ bad habits that result in some kind of infection.

Spam emails are often how users end up infecting their computers with malware. Malicious actors launch malspam campaigns and use email addresses bought from hacker forums. The emails contain a malicious attachment, which if opened would initiate a process that would allow ransomware to enter the computer. Fortunately for users, malspam emails are generally quite obvious. The most obvious sign is usually grammar and spelling mistakes. Another sign is a random sender’s email address. If the sender is claiming to be from some legitimate company or organization but their email address looks unprofessional, it’s likely malspam. In rare cases, the email may be more sophisticated, which is why users should always scan unsolicited emails with anti-virus software or VirusTotal before opening them.

Malware can also often be encountered in torrents. Torrent sites are not adequately regulated, which allows cyber crooks to easily upload torrents with malware in them. It’s especially common to find malicious software in torrents for popular movies, video games, TV shows, software, etc. For example, torrents for the newly-released long-awaited video game Cyberpunk 2077 will likely contain some kind of malware.

Why is ransomware so dangerous?

When the ransomware is initiated, it will immediately start encrypting files. In order to distract users from what is happening, the ransomware will show a fake Windows update window. Once files are encrypted, they will have .booa added to them. For example, image.jpg would become image.jpg.booa. Users will not be able to open any of the files with that extension. A _readme.txt ransom note will also be dropped, and it will contain information on how users can recover files. The note demands that users pay $980 (or $490 if contact is made within 72 hours) in ransom in order to receive the decryptor.

But as we mentioned above, paying the ransom is very risky. There is little guarantee that a decryptor will be sent, or that it will work as it should. Furthermore, ransomware will continue to be an issue as long as users continue to pay, as it encourages cyber crooks to continue their malicious activities.

Below is the text from the ransom note dropped by this ransomware:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-VP0uSxh1Bi
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

Only users who have backup can currently recover files for free and in a safe way. A free decryptor may become available in the future, but one has not been released yet.

Booa ransomware removal

Because ransomware is a complex malware infection, users need to use anti-virus software to remove Booa ransomware from their computers. Trying to delete Booa ransomware manually may result in further damage to the computer. Once the ransomware is gone, users can start file recovery from backup.

Booa ransomware is detected as:

  • A Variant Of Win32/Kryptik.HIFB by ESET
  • Gen:Variant.Bulz.266265 (B) by Emsisoft
  • Trojan.MalPack.GS by Malwarebytes
  • RDN/Generic.grp by McAfee
  • UDS:DangerousObject.Multi.Generic by Kaspersky
  • Win32:TrojanX-gen [Trj] by AVG/Avast
  • ML.Attribute.HighConfidence by Symantec
  • Trojan:Win32/Glupteba.NK!MTB by Microsoft