OoPS .RAMEN File Virus (Restore Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

OoPS .RAMEN File Virus (Restore Files)

This article has the agenda to show you how to remove OoPS Ransomware and attempt to restore files that have been encrypted with the added .ramen file extension.

A file encryption malware, known as OoPS ransomware has been detected at the beginning of May 2017. The virus aims to encrypt the files on the infected computers using the AES encryption algorithm. Unlike other ransomware viruses, the .ramen file virus moves the targeted files in a password-protected .zip archive with the extension .ramen. In case your computer has been infected with this ransomware virus, we advise you to read the following article thoroughly.

Threat Summary

Name.ramen Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts files using the AES encryption and then asks for a ransom to be paid in order to decrypt them.
SymptomsThe targeted files are moved into a password-protected .zip archive.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .ramen Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .ramen Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Distribution of OoPS “Ramenware” Virus

For the moment, the primary version is that OoPS ramenware virus is spread via multiple different methods including severe e-mail spam campaign. Such e-mail spam campaigns may include deceptive e-mails pretending to be from companies, like:

  • FedEx.
  • PayPal.
  • eBay.
  • Amazon.
  • AliExpress.
  • Any bank.

The e-mails may contain messages in them stating false reasons for which to open either a malicious e-mail attachment in an archive or visit a third-party URL which may lead to the infection.

Other methods by which your computer can be infected by the OoPS “ramenware” ransomware virus are to spread the malware using fake setups, fraudulent Java or Flash Player updates or license activators, key generators, etc. Such can be either uploaded on suspicious websites online or via compromised uploader accounts in torrent sites.

.ramen OoPS Ramenware – Analysis

The .ramen file virus aims for one thing only – to render your files no longer openable so that you can be extorted for a hefty ransom payoff in BTC to get them back. To get to it’s end goal, the .ramen OoPS virus makes several modifications on the computers infected by it, starting with dropping it’s malicious file, named OoPS Ramenware.exe on their drives. The file may be located in multiple different Windows folders, such as:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %Temp%

In addition to this malicious file, multiple other support files may also be created for different purposes. One of those is to delete the shadow volume copies on the infected computer. This is achievable by executing a script that gains administrative privileges on the compromised computer and after this executes commands in Windows Command Prompt which deletes the backups. The commands may be the following with custom parameters set to them:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to this, the malware may modify the Windows Registry Editor so that it is possible for it’s malicious file to run on Windows start-up. For this, it may target the following registry sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The Encryption Process of OoPS .ramen Virus

The encryption of the .ramen ransomware is no different then most file-encrypting malware out there. The .ramen virus uses an encryption script which alters a small part of data from an original file with data from the encryption cipher, which in this case is AES (Advanced Encryption Standard).

The difference in this case, however is that this ransomware virus aims to move the encrypted files in a password-protected .zip archive. This prevents further tampering with the files, even if the ransomware is decrypted by malware researchers. The password protected archive is reported to contain the .ramen file extension.

Remove .ramen File Virus and Restore Encrypted Files

Before beginning the removal process of this ransomware virus, we advise you to backup the encrypted files from the infected computer.

For the removal process of .ramen ransomware to be complete, it is strongly recommended to follow the instructions underneath. They are designed so that the malicious objects of .ramen ransomware are isolated after which removed. However, if manual removal may be a challenge for your, security experts strongly recommend victims to focus on removing the .ramen virus automatically with an advanced anti-malware program. Installing it will also ensure that the computer is protected against future infections as well.

In case you are looking forward to restore your files, at the moment, it is not directly achievable, mainly because of the password-protected .zip archive. However, there are some alternative methods which you could attempt in step “2. Restore files encrypted by .ramen Virus” below. They are not 100% guarantee you will recover all of your missing files, however, you may have a decent chance of recovering portion of them.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share