.drume Files Virus (STOP) – WHAT IS IT and How to Remove It
THREAT REMOVAL

.drume Files Virus (STOP) – WHAT IS IT and How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

This article has been created to explain what is the .drume files ransomware, how to remove it from your computer and how you can try and get your files to work once again.

The .drume files ransomware is the type of virus that is a new variant of the STOP ransomware family. The difference here is that after the .drume ransomware encrypts files, it drops a ransom note file, called _open.txt. The ransom note’s main purpose is to convince users to pay money in the form of BitCoin in order to get their files to have the .drume extension removed and to be able to be opened again. If your computer was infected by the .drume ransomware, be advised that paying the ransom is NOT advisable and you should not try and change the extension by yourself. Read this article to learn how you can remove STOP .drume ransomware variant and how you can try and get your files back.

Threat Summary

Name.drume Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA variant of STOP ransomware family of viruses. Aims to encrypt files on the computers infected by it and then extort the victim into paying hefty ransom to get the files to work again.
SymptomsThe files are appended the .drume file extension. The ransomware drops a ransom note file, called _open.txt
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .drume Files Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .drume Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.drume Files Virus -Distribution Methods

For the .drume ransomware to be spread, the ransomware may use several different infection methods to compromise victim computers. The virus’s main goal is to get computers infected without the victim noticing. To reach this goal, it may spread the virus files via malicious e-mail attachments, that may pretend that they are:

  • Invoices.
  • Receipts.
  • Important documents.
  • Reports from a bank or work.

Once victims are fooled into opening the malicious e-mails and download and run the attachments on those e-mails, their computer gets compromised.

Besides via e-mail, another method of distribution that may be used by the .drume ransomware virus could be for the cyber-criminals to upload the malicious files on various different sites over the web and use those sites to falsely present the files. They may make it seem as if the virus infection file of .drume ransomware is:

  • Crack.
  • Patch.
  • License activator.
  • Key generator.
  • Portable version of software.
  • Setup of software..

.drume Files Virus – Activity

Once an infection with the .drume ransomware commences on the computer, victimised by it, the malware immeidately drops its payload files. They may reside under different names in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

Among the files dropped is STOP ransomware’s new ransom note, called _open.txt. It has the following message:

ATTENTION!
Don’t worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don’t try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
=======================================================
To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
030GHsgdfT7878YsY9gsafa2aeetLxfdZoulAkTNqXPJl8V0kIPOLEikCi047g
================================================

Once the files are dropped, the .drume version of STOP ransomware may begin to interfere with the Windows registry editor of the compromised computer by it. The ransomware may create registry strings in the following sub-keys:

→ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Besides modifying the registry editor, the .drume variant of STOP ransomware could also execute a malicious file, whose primary goal may be to run a Windows script in Command Prompt:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

The script’s main idea may likely be to delete the shadow copies on the infected computer and disable Windows Recovery services with the goal of preventing you to get your files back via Windows Backup.

.drume Files Virus – Encryption

To encrypt files on your computer, the .drume ransomware may begin to execute various different types of scripts and objects, whose main idea could be to scan your PC for files that are used often, like:

  • Documents.
  • Images.
  • Videos.
  • Archives.
  • Audio files.
  • Files, used by various programs.

The .drume variant of STOP ransomware then may encrypt them with the aid of AES-256 encryption mode, generating a unique assymetric decryption key. The outcome of that is the ransomware starting to make the files appearing like the following:

Remove .drume Files Virus and Try Getting Data Back

If you want to get rid of the .drume files virus from your computer, we strongly recommend that you do a fresh backup of those files beforehand.

To remove the .drume ransomware virus, you can follow the removal instructions underneath this article. They have been made with the primary idea to help you delete this virus either manually or automatically from your computer. Automatic removal is recommended, since it features scanning your computer with a specific anti-malware software made to remove such types of threats. This may result in your computer becoming clean of the virus and protected in the future as well.

If you want to try and get your files back, we strongly recommend that you see the alternative methods for file recovery below. They have been made with the main idea to help you get back as many encrypted files as possible, even though they may not be 100% effective.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...