Security researchers analyze new ransomware pieces on a daily basis. The ransomware business is definitely thriving, one of its latest additions being the so-called Booyah ransomware. The name of the threat derives from its executable, booyah.exe. The ransom message comes in a file called “WHATHAPPENDTOYOURFILES.TXT”.
|Short Description||The ransomware doesn’t append any extensions to the encrypted files.|
|Symptoms||The user’s files are encrypted and a “WHATHAPPENDTOYOURFILES.TXT” is dropped in all affected folders.|
|Distribution Method||Via a program booyah.exe that employs the Nullsoft installer.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Booyah Ransomware|
|User Experience||Join our forum to discuss Booyah Ransomware.|
If the name appears familiar to you, it’s because several ransomware threats have used it (like CryptoWall). Perhaps it’s the same threat actors, or their affiliates. It’s a commonly known fact that ransomware-as-a-service (RaaS) has gained lots of popularity, and anyone with basic skills can buy and distribute file-encrypting threats.
Booyah Ransomware (booyah.exe Ransomware) Technical Description
Little is known about the ransomware’s technical specifications, as reported by researchers at Bleeping Computer. What is known is that the ransomware’s executable is distributed like a program (the user installs it like a program), using the well-known Nullsoft Scriptable Install System installer. Booyah.exe contains a DLL file, responsible for the encryption process on the victim’s machine.
As already mentioned, the ransom note is named “WHATHAPPENDTOYOURFILES.TXT”. It reads like this:
Your ID: 758275
* * *
Hi. Your files are now encrypted. I have the key to decrypt them back.
I will give you a decrypter if you pay me. If you pay me today, the price is only 1 bitcoin.
If you pay me tomorrow, you will have to pay 2 bitcoins. If you pay me one week later the price
will be 7 bitcoins and so on. So, hurry up.
The analysis performed by BC researchers shows that the same ID is sent to all victims, because it is hard-coded in the ransomware.
Here is a resume of Booyah’s ransomware main features:
- Encrypted folders contain a CRIPTOSO.KEY file.
- Interestingly, the ransomware doesn’t appear to add an extension to encrypted files.
- The list of all encrypted files is found in a plaintext file at “%APPDATA%\%ID%”. Siince the ID is the same for every victim, the file should look like this “%APPDATA%\758275”.
How to Remove Booyah Ransomware from Your System
To remove Booyah ransomware completely from your machine, running a strong anti-malware program is advisory. An anti-malware solution will eradicate all traces of the ransomware, but unfortunately, won’t restore your files. To try and restore your files, have a look at step 4 in the removal manual below. Keep in mind that it’s still not known whether Booyah ransomware deleted Shadow Volume Copies. We will keep you posted. Also, if you’ve been infected, make sure to leave a comment in our forum!