What is OoPS ransomware? And how does it work?
OoPS ransomware is a ransomware Trojan that encrypts your files to make them inaccessible to you and demands you to pay a ransom for the restoration of your files. This Trojan arrives on your computer as an obfuscated malicious executable file named, OoPS Ramenware.exe. If executed, it quickly makes modification on your computer system and drops various malicious components in these directories: %AppData%, %Roaming%, %Local%, %LocalLow% and %Temp%. It might also make some changes on your Windows Registry to make its removal even harder than it already is for you. What’s even worse is before starting the encryption process it might also get administrative privileges on your computer and delete the Shadow Volume Copies of your files as well as its backups to make sure that decrypting your files will be next to impossible for you. Needless to say that using the Windows Previous Versions method in decrypting your files without cost is out of the equation. That’s how dangerous this infection is. However, no matter how dangerous this ransomware is, paying the ransom should not be part of your options. Since most researchers received reports from victims of ransomware infection that after paying the ransom, they were ignored by the crooks and left them with nothing but encrypted files and an empty pocket for some.
It then scans your computer for many file types which are as follows:
.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .m peg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar,.bz2,.tbk,.bak,.tar,.tz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .com, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .aspx, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .csv, .not, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .Ott, .odt, .DOC, .pem, .csr, .crt, .key, .dat.
As you can see, it targets too many file types to count which makes this threat formidable. After locating those files, it appends the .oops file extension to each one of them using the AES algorithm. After compromising your files, the OoPS ransomware drops an HTML file named _HELP_Recover_Files_.html. This HTML file includes the following text:
Oops, all data in your computer has been encrypted.
Your encryption key file is: C:\ProgramData\oops\EncryptedKey
Your computer name is: –
If you wanna decrypt all your data, please send 0,1 bitcoin to the address: 1FMvaobyrMNzVqeabC4hPumpbG1iGHo
But BEFORE you pay me, you should send me an email with the ENCRYPTED KEY FILE as an attachment, YOUR COMPUTER NAME and BITCOIN ADDRESS you will pay with. SO that i can know it’s your payment. My email address is: [email protected] After I confirm the payment, i’ll send you an email with your KEY and COMPUTER NAME for decryption, you can input it below, and decrypt. If you press Decrypt with right KEY, WAIT PATIENTLY, don’t do anything until decryption suceeded!!! If you close it, you can reopen it in C:\ProgramData\oops\oops.exe When you reopen it, you should open as Administrator, otherwise, not all data can be decrypted properly. Very Important!!! Do not modify anything in the oops folder before you pay!!! Very Important!!! You’d better pay it in a week, the prise will double every week. If you have any questions, send me an email. I will reply as soon as possible!
Furthermore, it also drops the following files:
EncryptedFiles.txt
EncryptedKey
KeyHash
Once you notice these files, be quick to restart your computer to disrupt its process before proceeding to remove it.
How is OoPS ransomware distributed?
OoPS ransomware spreads through spam email campaigns. Nowadays, cyber criminals make use of social engineering techniques to spread infection and pretend to be someone from well-known companies like PayPal, FedEx, Amazon, etc. They might also pretend to be someone from the bank or government organizations to easily trick you into opening the email and downloading the infected attachment. Once you do that, OoPS ransomware immediately drops the malicious payload and executes it on your system. It is important that you further check the email senders especially the unknown ones before you open their message or better yet avoid them altogether to prevent getting this kind of infection.
To eliminate OoPS ransomware, carefully follow the removal guide below:
Step 1: Reboot your computer into Safe Mode
Windows XP/Vista/7
1. Reboot your computer.
2. Tap F8 when you see the BIOS screen.
3. Select Safe Mode from the Advanced Boot Options menu using the arrow keys on your keyboard.
4. Press Enter.
5. And then proceed to remove the OoPS ransomware.
Windows 8/8.1/10
1. Tap two buttons: the Windows key and C on your keyboard and click Settings (if you use Windows 8/8.1) or click on the Start button (if you use Windows 10).
2. Click Power.
3. Hold the Shift key and click Restart.
4. Click Troubleshoot.
5. Click Advanced options.
6. Click Startup Settings.
7. Click on the Restart button.
8. Tap F4.
9. Proceed removing the OoPS ransomware when your PC starts in Safe Mode.
Step 2: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for OoPS Ramenware.exe or any suspicious processes that can be related to the OoPS Ransomware.
Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 3: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Find OoPS ransomware or any suspicious program and then Uninstall.
Step 4: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Go to the directories listed below and delete everything in it. Or other directories you might have saved the file related to OoPS ransomware.
%AppData%
%Roaming%
%Local%
%LocalLow%
%Temp%.
Step 7: Look for OoPS Ramenware.exe and the following malicious components of OoPS ransomware and then delete all of them.
EncryptedFiles.txt
EncryptedKey
KeyHash
Step 8: Go to your desktop and look for _HELP_Recover_Files_.html and remove it.
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that OoPS ransomware created. So if you are not familiar with the Windows Registry skip to Step 13 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 9.
Step 9: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 10: Navigate to the path below:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Step 11: Delete the any suspicious registry value.
Step 12: Close the Registry Editor.
Step 13: Empty the Recycle Bin.
Follow the continued advanced steps below to ensure the removal of the OoPS ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
Turn on your computer. If it’s already on, you have to reboot it.
After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit Enter.
Windows will now load the Safe Mode with Networking.
Press and hold both R key and Windows key.
If done correctly, the Windows Run Box will show up.
Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
Click OK to launch SpyRemover Pro.
Run SpyRemover Pro and perform a full system scan.
After all the infections are identified, click REMOVE ALL.
Register SpyRemover Pro to protect your computer from future threats.