.goofed File Virus - Remove and Restore Files

.goofed File Virus – Remove and Restore Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

The .goofed extension is associated with a crypto virus that encrypts essential files and blackmails victims into paying a $100 ransom in Bitcoins for the decryption key. The analyses of its samples reveal that .goofed ransomware is a new Hidden Tear strain. It employs the strong AES cipher to modify the original code of target files and then renames them with the .goofed extension. The infection ends with a ransom note that appears on the PC screen to inform victims how they are expected to act if they want to retrieve .goofed files.

This article provides more information about .goofed file virus infection and a detailed removal guide for its complete elimination. In addition, our team listed alternative data recovery methods that may help you retrieve .goofed files wihtouth paying the ransom.

Threat Summary

Name.goofed File Virus
Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put the extension .goofed to them after it finishes its encryption process.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .goofed File Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .goofed File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.goofed File Virus – Infection

Ransomware infections like .goofed may be spread via various techniques, but the most preferred one by criminals is via email campaigns. Email campaigns offer a wide range of capabilities to criminals who aim to trick online users into infecting themselves with the ransomware payload. For example, they often impersonate popular websites or legitimate institutions by spoofing the email address and the name of the sender. Thus they believe that you will be more prone to follow the call to actions presented in the message and install the ransomware payload on the machine. The payload can be embedded in an attached document file or injected into a web page that is presented as a clickable link in the text. The compromised links that can cause drive-by download ransomware attack may also be spread on social media channels.

The .goofed file virus is also possible to penetrate the system through the installation setups of suspicious apps of unknown origin. Such apps are usually offered for free on popular torrent websites.

.goofed File Virus – Analysis

The attack starts once a file called hidden-tear.exe is running on the system. It is capable of managing all malicious actions that lead to successful .goofed ransomware infection. Being a Hidden Tear variant .goofed file virus is believed to follow a typical infection pattern. So at first, it can initiate a scan to locate all predefined file types and encrypt them with a strong cipher algorithm. After this happens, all corrupted files can be recognized by the extension .goofed appended at the end of their names.

The .goofed file virus could also misuse Windows registries for the automatic execution of its payload each time the operating system starts. By creating specific values in the registry keys mentioned below, .goofed crypto virus ensures its stable presence on the infected host:


Other values associated with Goofed’s ransom note may be added under the same keys as they control all currently running processes which allow the threat to display the message automatically on display. As a result, its complete removal may become a tough task even for the tech savvy guys.

As regards the crooks’ message, it is dropped in a text file called YOU_DONE_GOOFED.txt and informs the following:

Files has been encrypted with hidden tear
Send me $100 in bitcoin to 112eFWptVuBw9KzVZFvgx8ERnqYMsY6HLj
And email me at hiddentear@protonmail.com for your decryption key.

At this point, the hackers’ identity remains unidentified, and any negotiations with them should be avoided. Beware that paying the ransom does not guarantee the recovery of your .goofed files. Instead, you can take a look at some alternative data recovery approaches listed in our guide below that have proved to be efficient in most of the cases.

.goofed File Virus – Encryption

Like other Hidden Tear based ransomware we reported – Amazon Carding, Barrax, the Goofed strain could seek to encrypt files with these extensions:

→.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb.sln.php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp

All corrupted files are renamed with the .goofed extension and seem to be broken. For the encryption process .goofed file virus utilizes the AES cipher algorithm that changes the code of the files in a way that they remain inaccessible until the unique decryption key is applied to the decrypter. As criminals possess the key, they can extort a ransom of $100 in Bitcoins from victims who want to decrypt .goofed files. However, this will only fund hackers’ future malicious activities and encourage them to continue the attack campaigns.

Remove .goofed File Virus and Restore Files

The .goofed file virus should be deleted from the infected host. Otherwise, it can penetrate into other PCs connected to the same network or serve its creators as a gate for further malware attacks against your device. The removal process of all files and objects associated with the .goofed crypto virus is explained in our detailed guide below. For maximum efficiency and protection from future malware attacks, security experts recommend the help of an advanced anti-malware tool.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share