ROOE ransomware hits victims worldwide
Contents
ROOE ransomware is the 206th version of DJVU malware which is designed to encrypt all files on victim’s computer, making it impossible to open them. Once installed, it scans the system for photos, documents, videos and other data formats, encrypts them, and appends .rooe extensions to them. Then the ransomware creates a ransom note called _readme.txt and leaves it on desktop and other affected file folders. According to the note, the victim needs to pay the attackers a specified sum of money in order to recover the files. The only contact details left are two emails: helpmanager@firemail.cc and helpmanager@iran.ir.
ROOE ransomware, sharing a similar name as a previous variant – ROTE ransomware, employs an extremely secure encryption method. There is no way to break or figure out the encryption algorithm. Doing so, even with the strongest computers could take years. Therefore, the criminals suggest buying a decryption software + key in the _readme.txt file. The price for the tools is $490 in Bitcoin, rising to $980 if paid later than 3 days after the initial attack.
The ransomware encryption: explained
ROOE file virus is designed to terminate security software and infiltrate the computer system silently. Once installed, it tries connecting to its Command&Control server, which provides ONLINE encryption keys for each victim individually. However, in some cases the ransomware fails to connect to its server. In such case, the malware uses an in-built encryption key.
ROOE ransomware attacks using either ONLINE, or OFFLINE encryption keys. Knowing about these keys can help you realize you chances to recover data.
Norbert Webb
To put it differently, it means that all victims affected by the offline encryption have hope to recover their files as soon as someone (also affected by the offline key) pays the ransom. This is because the key for everyone, as well as the decryption key, are identical. An indicator of offline encryption is t1 at the end of the ID located in C://SystemID/PersonalID.txt file.
If you’re a victim of the offline encryption, follow updates on this DJVU decryption guide.
This cannot be said about victims of the online encryption. Since each victim receives an unique encryption key, ROOE decryption keys also differ. In such situation, there are no free ways to recover files except having data backups.
ROOE ransomware is currently the latest version of the known ransomware, following the BBOO variant. There are no significant differences between DJVU malware variants, except the file marker used and sometimes email addresses left to contact the cyber criminals.
Victims of ROOE file virus should be aware of the fact that their computer systems are most likely infected with AZORULT password-stealing malware, which is known to spread alongside DJVU variants. Therefore, an immediate elimination of both the ransomware and the Trojan should be executed as soon as possible.
To remove ROOE ransomware safely, we recommend starting your PC in Safe Mode with Networking, then updating your antivirus and running a full system scan immediately. You can find step-by-step instructions at the end of this post.
Threat Summary
| Name | ROOE file virus |
| Type | Ransomware virus |
| Origins | STOP/DJVU (206th version) |
| Targeted systems | Windows |
| Behavior | Locks victim’s personal file using cryptographic algorithms, then asks paying a ransom in exchange for the data recovery tool |
| File extension | Marks files with .rooe extension |
| Ransom note | _readme.txt |
| Ransom demand | $490-$980 |
| Emails | helpmanager@firemail.cc, helpmanager@iran.ir |
| Distribution | Distributed via software cracks, keygens, KMSPico |
| Decryption tools | STOP Decryptor currently doesn’t support the 206th ransomware version |
| Removal | Remove using antivirus while in Safe Mode with Networking (use instructions given below) |
Ransomware distribution relies on irresponsible victims’ actions
ROOE ransomware can be found in various downloads available online. Security researchers have noticed the virus’ developers’ tendency to put the malicious payload into various software cracks, keygens, illegal and copyrighted content, tools like KMSPico and others. In other words, if you’re trying to access paid content for free, you might run into a STOP/DJVU payload without even expecting it.
While most other ransomware variants rely on malicious spam exclusively, the discussed ransomware creators don’t use such tactic at all. It probably means that the victims’ interest in illegal content is high enough and the attackers do not even need to enroll new distribution vectors to increase the attack scope.
We strongly recommend you to be extremely cautious while browsing the Internet. One irresponsible click can result in a redirect to a malicious website or a life-changing download. Therefore, if you do not want all of your life’s work or memories encrypted, stay away from suspicious websites as far as you can.
Quick way to remove ROOE ransomware virus
One of the best ways to remove ROOE ransomware virus is running an antivirus product. However, make sure you use a trustworthy one and not an infamous product such as Segurazo. Only a robust and up-to-date antivirus will help you to eliminate the ransomware together with Azorult Trojan at once.
ROOE ransomware removal isn’t a complicated task when you’re know what you’re doing. This is why we prepared easy-to-follow guidelines for you to follow. You can find them down below.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
ROOE Ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove ROOE Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
.rooe file in my pc
plese solution
how to decrypt infected files?
How dycrupted file after remove virus