Cyber security professionals discovered a new variant of ransomware which named “.Rumba Ransomware“. It appends the .rumba file extension to encrypted file names. This blog post will provide you a brief summary of information related to this new ransomware, how to decrypt and recover all encrypted photos, documents and music for free.
The .Rumba Ransomware is a malware which created in order to encrypt photos, documents and music. It hijack a whole personal computer or its data and demand a ransom in order to unlock (decrypt) them. The developers of the .Rumba ransomware virus have a strong financial motive to infect as many computers as possible. The files that will be encrypted include the following file extensions:
.vdf, .wma, .y, .wav, .raf, .wsh, .webdoc, .map, .ybk, .wri, .srf, .gho, .orf, .wpb, .xls, .zdc, .bar, .crw, .psk, .erf, .sb, .mp4, .lbf, .wsd, .ppt, .wm, .fos, .pptx, .m4a, .ws, .xlsm, .forge, .mcmeta, .dxg, .xbplate, .zi, .arch00, .esm, .ibank, .xwp, .db0, .2bp, .mov, .qic, .wp6, .dwg, .das, .vpk, .mlx, .yal, .ncf, .png, .iwd, .cas, .x, .bsa, .syncdb, .doc, .wb2, .sr2, .7z, .wmf, .asset, .raw, .wcf, .sum, .desc, .arw, .pem, .xlsb, .tor, .xyw, .dmp, .zdb, .wp, .apk, .mdbackup, .p7b, .xml, .docm, .jpeg, .zif, .p7c, .cr2, .wsc, .3ds, .xx, .wbm, .wpd, .xdb, .itl, .wpt, .vtf, .crt, .ltx, .dbf, .xmind, .wmv, .webp, .wpd, .epk, .wire, .rwl, .hvpl, .zip, .d3dbsp, .docx, .upk, .pdf, .wn, .dazip, .cfr, .fsh, .bc6, .rar, .pst, .zip, .bkp, .wdb, .ods, .sav, .csv, .xlk, .sidd, wallet, .dcr, .kf, .iwi, .odp, .itm, .wotreplay, .avi, .cer, .wbz, .pef, .rw2, .m3u, .1st, .w3x, .mef, .hkx, .mrwref, .wbk, .rtf, .odm, .xxx, .xyp, .ai, .wma, .cdr, .sie, .xy3, .lvl, .ztmp, .wpg, .dba, .rb, .rofl, .bik, .xlsx, .itdb, .sql, .big, .ptx, .css, .xar, .mdb, .xld, .xlsm, .wp5, .wdp, .icxs, .bay, .wps, .xpm, .dng, .yml, .x3d, .rim, .1, .z3d, .gdb, .wpw, .sis, .wbc, .3fr, .z, .wps, .snx, .p12, .3dm, .js, .litemod, .ff, .r3d, .accdb, .kdb, .pdd, .x3f, .t12, .zw, .0, .t13, .jpe, .pptm, .fpk, .mddata, .indd, .wmd
Once the encryption procedure is done, it will drop a ransom note called “_openme.txt” offering decrypt all users documents, photos and music if a payment is made. An example of the ransom note is:
ALL YOUR FILES ARE ENCRYPTED Don't worry, you can return all your files! All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://files.danwin1210.me/uploads/01-2019/Decrypt Software Overview.avi Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: firstname.lastname@example.org Reserve e-mail address to contact us: email@example.com Your personal ID:
Unfortunately, at this time, victims of the .Rumba ransomware virus cannot decrypt encrypted personal files without the actual encryption key. But you can use our guidance below to find and remove Rumba ransomware virus from your machine as well as restore encrypted files for free.
Update: with some variants of this ransomware, it is possible to use STOPDecrypter (free tool) to decrypt files that have been encrypted (files with .rumba extension).
Table of contents
- How to remove .Rumba Ransomware virus
- How to decrypt .rumba files
- Use STOPDecrypter to decrypt .rumba files
- How to restore .rumba files
- How to protect your computer from .Rumba ransomware
How to remove .Rumba Ransomware virus
The .Rumba ransomware virus can hide its components which are difficult for you to find out and remove completely. This may lead to the fact that after some time, the virus again infect your personal computer and encrypt your personal files. Moreover, I want to note that it is not always safe to remove ransomware manually, if you don’t have much experience in setting up and configuring the Microsoft Windows operating system. The best method to detect and remove .Rumba ransomware virus is to run free malware removal software which are listed below.
Use Zemana Anti-malware to remove .Rumba ransomware virus
We recommend you to run the Zemana Anti-malware which are completely clean your PC system of this virus. Moreover, the utility will help you to remove potentially unwanted software, malware, toolbars and adware that your machine can be infected too.
- Download Zemana Anti-Malware (ZAM) from the link below.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web-browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- After the download is finished, please close all applications and open windows on your machine. Next, launch a file named Zemana.AntiMalware.Setup.
- This will open the “Setup wizard” of Zemana Free onto your PC. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Anti-Malware (ZAM) will launch and open the main window.
- Further, click the “Scan” button to perform a system scan with this tool for the .Rumba Ransomware virus and other malware. This process can take quite a while, so please be patient. While the Zemana Free application is checking, you can see count of objects it has identified as threat.
- When the scan get finished, you can check all items found on your system.
- Once you have selected what you wish to remove from your system click the “Next” button. The utility will start to remove .Rumba ransomware virus and other security threats. Once finished, you may be prompted to reboot the personal computer.
- Close the Zemana AntiMalware and continue with the next step.
Delete .Rumba Ransomware virus with MalwareBytes Anti-Malware (MBAM)
We suggest using the MalwareBytes AntiMalware (MBAM). You can download and install MalwareBytes Free to detect and delete .Rumba ransomware from your system. When installed and updated, this free malware remover automatically searches for and removes all threats present on the machine.
Download MalwareBytes Anti Malware (MBAM) by clicking on the link below.
Category: Security tools
Update: July 25, 2019
When downloading is done, close all applications and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as displayed below.
When the installation begins, you will see the “Setup wizard” which will help you setup Malwarebytes on your computer.
Once install is finished, you’ll see window as shown in the figure below.
Now press the “Scan Now” button for scanning your system for the .Rumba ransomware virus and other security threats. A system scan can take anywhere from 5 to 30 minutes, depending on your PC system. While the tool is scanning, you can see how many objects and files has already scanned.
After the scan get completed, MalwareBytes Anti-Malware (MBAM) will display a scan report. Once you have selected what you want to remove from your personal computer click “Quarantine Selected” button.
The Malwarebytes will now delete .Rumba Ransomware virus related files, folders and registry keys. After the procedure is finished, you may be prompted to restart your machine.
The following video explains step-by-step guidance on how to remove browser hijacker, adware and other malware with MalwareBytes.
Remove Rumba Ransomware with KVRT
The KVRT utility is free and easy to use. It may scan and remove various malware such as the .Rumba Ransomware. KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the system.
Download Kaspersky virus removal tool (KVRT) on your computer from the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you will see the KVRT screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to begin checking your PC for the .Rumba ransomware and other malicious software. A system scan can take anywhere from 5 to 30 minutes, depending on your machine. When a malware, adware or PUPs are detected, the count of the security threats will change accordingly. Wait until the the scanning is finished.
As the scanning ends, the results are displayed in the scan report as displayed in the figure below.
Review the scan results and then click on Continue to begin a cleaning process.
How to decrypt .rumba files
The ransom note offers victim to contact .Rumba Ransomware’s developers in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the makers of the Rumba ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. Especially since you have a chance to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .rumba files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba).
Please check the twitter post for more info.
How to restore .rumba files
In some cases, you can recover files encrypted by .Rumba Ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Use shadow copies to restore .rumba files
A free tool called ShadowExplorer is a simple method to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can recover .rumba files encrypted by the .Rumba ransomware from Shadow Copies for free.
Please go to the link below to download ShadowExplorer. Save it on your Desktop.
Category: Security tools
Update: February 27, 2018
After the downloading process is complete, extract the saved file to a folder on your computer. This will create the necessary files as displayed in the figure below.
Run the ShadowExplorerPortable program. Now select the date (2) that you want to restore from and the drive (1) you wish to restore files (folders) from as displayed on the screen below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button as shown on the screen below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Use PhotoRec to restore .rumba files
Before a file is encrypted, the .Rumba ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file restore applications such as PhotoRec.
Download PhotoRec on your MS Windows Desktop by clicking on the following link.
Category: Security tools
Update: March 1, 2018
After downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as displayed below.
Choose a drive to recover as shown on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as on the image below.
Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, press Browse button to select where recovered documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as on the image below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from .Rumba ransomware
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your computer from .Rumba ransomware
Download CryptoPrevent by clicking on the link below. Save it on your Desktop.
Run it and follow the setup wizard. Once the installation is finished, you will be shown a window where you can select a level of protection, as shown below.
Now press the Apply button to activate the protection.
To sum up
After completing the tutorial outlined above, your PC should be clean from .Rumba ransomware and other malicious software. Your personal computer will no longer encrypt your files. Unfortunately, if the steps does not help you, then you have caught a new variant of ransomware virus, and then the best way – ask for help here.