A new variant of ransomware virus has been discovered by cyber security experts. It appends the .drume file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails and malware.
Drume ransomware is a malware that created in order to encrypt files. It hijack a whole PC or its data and demand a ransom in order to unlock (decrypt) them. The authors of the .Drume ransomware have a strong financial motive to infect as many computers as possible. The files that will be encrypted include the following file extensions:
.zif, .apk, .7z, .wma, .menu, .rofl, .wmv, .wbmp, .r3d, .zw, .zdb, .mddata, .fos, .hplg, .y, .forge, .t13, .x, .wri, .wpt, .yal, .wsh, .lbf, .wb2, .w3x, .zabw, .docx, .db0, .p7b, .lrf, .3dm, .sidd, .wot, .dazip, .bkp, .wotreplay, .desc, .ppt, .flv, .iwd, .gho, .svg, .rb, .esm, .yml, .d3dbsp, .bc6, .ysp, .xlsx, .wbz, .hkdb, .pdd, .srw, .lvl, .sis, .bc7, .pkpass, .crt, .sie, .odp, .layout, .indd, .0, .iwi, .fpk, .zi, .docm, .cer, .pst, .asset, .xls, .orf, .wp, .dwg, .blob, .rw2, .xlsb, .wps, .pfx, .sid, .wpe, .xlsm, .mlx, .wmv, .x3f, .wmo, .x3f, .wpd, .odb, .kf, .vcf, .mdf, .zdc, .xml, .dxg, .txt, .cas, .cr2, .xlgc, .itdb, .xpm, .3fr, .wdp, .pptx, .wpw, .m4a, .ff, .wav, .dba, .rwl, .ltx, .vpk, .fsh, .wps, .psk, .litemod, .xll, .map, .odt, .sav, .xbdoc, .rgss3a, .xls, .arch00, .wpd, .xdl, .bkf, .hkx, .xxx, .qdf, .vdf, .xf, .das, .csv, .zip, .mrwref, .odm, .ncf, .kdb, .bsa, .2bp, .wbd, .tor, .1, .itm, .sum, .re4, .ibank, .xdb, .eps, .jpg, .sr2, .xbplate, .t12, .xlsm, .wm, .bar, .der, .rim, .crw, .upk, .wp5, .dcr, .xx, .snx, .cfr, .vtf, .3ds, .jpeg, .wn, .bik, .wmf, .epk, .icxs, .big, .p12, .dbf, .ztmp, .pef, .z, .xlk, .wdb, .vfs0, .py, .xmind, .wire, .xlsx, .xyp, .wsc, .srf, .vpp_pc, .qic, .m2, .wp4, .mov, .arw, .pak, .ybk, .wbm, .nrw, .png, .webdoc, .1st, wallet, .pptm, .doc, .dng, .pdf, .xar, .wmd, .odc, .xld, .ntl, .wpa, .wsd, .css, .xyw, .js, .wcf, .erf, .sql, .m3u, .wgz, .avi, .jpe, .cdr, .wp7, .rar, .wbk, .bay, .wpg, .raw, .ptx, .raf, .pem, .tax, .itl, .wbc
Once the encryption process is finished, it will drop a ransom note named “_open_.txt” offering decrypt all users documents, photos and music if a payment is made. You can see an one of the variants of the ransom demanding message below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: blower@india.com Reserve e-mail address to contact us: blower@firemail.cc Your personal ID:
Use our guidance below to find and remove .Drume ransomware from your system as well as restore (decrypt) encrypted files for free.
Quick links:
- How to remove .Drume ransomware
- How to decrypt .drume files
- Use STOPDecrypter to decrypt .drume files
- How to restore .drume files
- How to protect your computer from .Drume ransomware?
- Finish words
How to remove .Drume ransomware
Before you launch the procedure of restoring files that has been encrypted, make sure .Drume ransomware is not running. Firstly, you need to delete this virus permanently. Happily, there are several malware removal utilities which will effectively detect and delete .Drume ransomware and other crypto virus malicious software from your PC.
Remove .Drume ransomware virus with Zemana Anti-malware
We suggest you to use the Zemana Anti-malware that are completely clean your personal computer of this ransomware virus. Moreover, the tool will help you to remove trojans, malware, worms and adware that your PC system can be infected too.
- Download Zemana AntiMalware (ZAM) from the link below.
Zemana AntiMalware
164115 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your internet browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- When downloading is done, please close all apps and open windows on your machine. Next, launch a file named Zemana.AntiMalware.Setup.
- This will open the “Setup wizard” of Zemana Anti-Malware onto your machine. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Free will open and display the main window.
- Further, click the “Scan” button . Zemana Anti Malware (ZAM) tool will begin scanning the whole PC system to find out .Drume ransomware virus and other kinds of potential threats. During the scan Zemana Anti-Malware will scan for threats exist on your machine.
- When the system scan is done, Zemana AntiMalware will open a scan report.
- When you are ready, press the “Next” button. The tool will delete .Drume ransomware virus and other security threats. Once the cleaning procedure is finished, you may be prompted to reboot the computer.
- Close the Zemana Free and continue with the next step.
How to automatically remove Drume ransomware with MalwareBytes
You can remove Drume ransomware automatically with a help of MalwareBytes. We recommend this free malicious software removal utility because it can easily remove ransomware, adware, malware and other undesired programs with all their components such as files, folders and registry entries.
Installing the MalwareBytes is simple. First you will need to download MalwareBytes Anti-Malware on your machine from the link below.
326468 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is done, close all windows on your machine. Further, run the file called mb3-setup. If the “User Account Control” prompt pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” that will assist you install MalwareBytes Anti-Malware on the personal computer. Follow the prompts and don’t make any changes to default settings.
Once installation is done successfully, click Finish button. Then MalwareBytes Free will automatically start and you can see its main window as on the image below.
Next, press the “Scan Now” button to start scanning your personal computer for the Drume ransomware and other security threats. This task can take some time, so please be patient. When a threat is detected, the count of the security threats will change accordingly.
After the scan is finished, a list of all threats detected is produced. All found threats will be marked. You can get rid of them all by simply click “Quarantine Selected” button.
The MalwareBytes Anti-Malware will remove Drume ransomware related files, folders and registry keys and add threats to the Quarantine. When the cleaning procedure is finished, you can be prompted to restart your computer. We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes Free to remove hijacker infections, adware software and other malicious software.
Delete .Drume ransomware virus with KVRT
If MalwareBytes anti malware or Zemana anti-malware cannot remove this ransomware virus, then we advises to run the KVRT. KVRT is a free removal utility for viruses, adware software, trojans, ransomware and other malware.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is complete, you will see the Kaspersky virus removal tool screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to start checking your computer for the .Drume ransomware and other known infections. This process can take some time, so please be patient. When a threat is detected, the number of the security threats will change accordingly. Wait until the the checking is finished.
Once that process is finished, Kaspersky virus removal tool will create a list of undesired programs adware software as displayed on the image below.
When you are ready, click on Continue to begin a cleaning task.
How to decrypt .drume files
The .Drume ransomware uses a strong encryption algorithm with 2048-bit key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the .Drume ransomware virus entire amount requested – the only method to try to get the decryption key and decrypt all your files.
Should you pay the ransom? A majority of cyber threat analysts will reply immediately that you should never pay a ransom if infected by ransomware! If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all files!
With some variants of Drume Ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .drume files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.drume).
Please check the twitter post for more info.
How to restore .drume files
In some cases, you can restore files encrypted by .Drume ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Use shadow copies to recover .drume files
An alternative is to recover .drume files from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Microsoft Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing personal files that were damaged by .Drume ransomware virus. The guide below will give you all the details.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer from the link below. Save it to your Desktop.
438828 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.
Double click ShadowExplorerPortable to launch it. You will see the a window like below.
In top left corner, select a Drive where encrypted documents, photos and music are stored and a latest restore point as shown below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as shown on the image below.
Recover .drume files with PhotoRec
Before a file is encrypted, the .Drume ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover software such as PhotoRec.
Download PhotoRec on your PC by clicking on the following link.
When the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will display a screen as shown in the following example.
Choose a drive to recover as displayed in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as shown below.
Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, press Browse button to select where recovered photos, documents and music should be written, then click Search.
Count of restored files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as on the image below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Drume ransomware?
Most antivirus software already have built-in protection system against the virus. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your system from .Drume ransomware virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the page linked below to download HitmanPro Alert. Save it on your Desktop.
When the download is finished, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is started, you’ll be shown a window where you can select a level of protection, like below.
Now click the Install button to activate the protection.
Finish words
After completing the step-by-step guidance shown above, your PC system should be free from .Drume ransomware and other malicious software. Your PC system will no longer encrypt your documents, photos and music. Unfortunately, if the step-by-step guide does not help you, then you have caught a new ransomware, and then the best way – ask for help here.