.rumba Files Virus - Como removê-lo
REMOÇÃO DE AMEAÇAS

.rumba vírus Files - como removê-lo


This blog post has been created with the main goal to explain what is the .rumba file variant of STOP ransomware and show you ways via which you can try and remove it from your computer.

A new ransomware virus going by the .extensão de arquivo rumba has been detected by security researchers. The virus aims to append the .rumba file extension on the files that have been encrypted by it. The virus’s primary purpose is to convince victims to pay ransom in order to retrieve their files. If your computer system has been infected by the .rumba ransomware variant of STOP, we would suggest that you read this article.

Resumo ameaça

Nome.rumba Files Virus
Tiporansomware, Cryptovirus
Pequena descriçãoVariante do PARAR ransomware, part of the DJVU ransomware strain. Aims to encyrpt files on the compromised computer and then ask victims to pay ransom to get them back.
Os sintomasOs arquivos são criptografados com um adicional .rumba extensão de arquivo. O vírus em seguida, cai uma nota de resgate, contendo a mensagem extorsão.
distribuição MétodoOs e-mails de spam, Anexos de e-mail, arquivos executáveis
Ferramenta de detecção See If Your System Has Been Affected by .rumba Files Virus

Baixar

Remoção de Malware Ferramenta

Experiência de usuárioParticipe do nosso Fórum to Discuss .rumba Files Virus.
Ferramenta de recuperação de dadosWindows Data Recovery por Stellar Phoenix Aviso prévio! Este produto verifica seus setores de unidade para recuperar arquivos perdidos e não pode recuperar 100% dos arquivos criptografados, mas apenas alguns deles, dependendo da situação e se você tem ou não reformatado a unidade.

.rumba Files Virus – Métodos de distribuição

The primary methods of distribution that are used by the .rumba ransomware are believed to be via e-mail spam campaigns, that are set to distribute malicious files attached to them, por exemplo:

The files that are attached to the e-mails might be of the following file types:

  • .JS (JavaScript files).
  • .DOCX(Microsoft Word document with malicious macros).
  • .PDF(Adobe Reader files).
  • .Exe(executáveis).
  • .VBS (Visual Basic Script Files).

The malicious files can also be uploaded on suspicious websites, where they might pretend to be various different types of legitimate programs, tal como:

  • Portable software.
  • rachaduras.
  • Patches.
  • License Activators.

Tão longe, the .rumba variant of STOP Ransomware was reported to be spread across the following countries:

  • Polônia
  • Malásia
  • Coreia do Sul
  • Tailândia
  • Indonésia
  • Ukraine
  • Venezuela
  • Equador
  • Chile
  • Brasil
  • Peru
  • Grécia
  • Egito
  • Outras

Another way of replication which was recently reported by malware researcher Amigo A em id-ransomware.blogspot.com is to propagate via malicious Windows Update or programs that have already been previously compromised:

.rumba Files VirusInfection Activity and Analysis

Rumba ransomware is a part of the STOP ransomware virus family of variants, most of which have been detected to use the following extensions:

And this is just a part of the many variants of

PARAR Ransomware vírus. The virus is from the ransomware type which means that it aims to encode your files and then demand a huge sum, por aí $600 to pay in the time frame of 3 days to get the cyber-criminals to restore your files and if that Is not accomplished, the ransomware virus will likely increase the ransom payment.

The main infection file of .rumba virus has been reported by researchers and uploaded in VirusTotal with the following information:

→ SHA-256:48586462fb24005bcf8139ac2a8af0873b9bb99cb544fccaa24ac124c099beb9
Nome do arquivo:despejo-2228224.mem
Tamanho do arquivo:347.5 KB

The virus file was reported to perform HTTP requests to domains that were related to rosalus.ug. The requests are as follows:

GET Request from hxxp://rosalos.ug/get_v2.php?pid=C28944D8AF49B3B7F79ED7D4845CB9B3
GET Request from hxxp://rosalos.ug/xxx/updatewin1.exe

Além desta, the virus may use the following IP addresses to communicate:

  • 77.123.139.189:443
  • 185.120.56.96:80

Após a infecção, the .rumba variant of STOP ransomware may open the follwing files on the infected computer:

→ \\.\PIPE\ROUTER
\\.\PIPE\lsarpc
c:\autoexec.bat
C:\48586462fb24005bcf8139ac2a8af0873b9bb99cb544fccaa24ac124c099beb9
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS system32 rsaenh.dll

além disso, the virus may read and extract information from the following files:

→ c:\autoexec.bat
C:\48586462fb24005bcf8139ac2a8af0873b9bb99cb544fccaa24ac124c099beb9
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS system32 rsaenh.dll

Shortly after this, .rumba STOP ransomware may copy the following object in the %AppData% directory of Windows:

→C:\Documents and Settings\\Local Settings\Application Data\595e5c57-6a16-4ce3-b5da-63e1ccaec198\48586462fb24005bcf8139ac2a8af0873b9bb99cb544fccaa24ac124c099beb9

For some reason, the same file that was copied is later deleted from the same directory.

o .rumba file ransomware may also create the following process with deny parameters:

→icacls C:\Documents and Settings\\Local Settings\Application Data\595e5c57-6a16-4ce3-b5da-63e1ccaec198″ /deny *S-1-1-0:(OI)(CI)(DE

To synchronise, .rumba file ransomware may also create and open the mutex RasPbFile.

Após a infecção, STOP .rumba ransomware may create the following system files of Windows:

secur32.dll
shell32.dll
wsock32
ws2_32
comctl32.dll
rasapi32.dll
rtutils.dll
rpcrt4.dll
rasman.dll
c:\windows\system32\msv1_0.dll
sensapi.dll
ntdll.dll
userenv.dll
netapi32.dll
version.dll
wintrust.dll
schannel
urlmon.dll
wininet.dll
c:\windows\system32\mswsock.dll
dnsapi.dll
rasadhlp.dll
hnetcfg.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\schannel.dll
clbcatq.dll
kernel32.dll
psapi.dll
rsaenh.dll

Então, the ransomware proceeds to it’s malicious activity of obtaining privileges as an administrator and then using those privileges to drop it’s payload, delete shadow copies, copy information and modify the Windows Registry Editor.

Uma vez infectado o computador, the .rumba files virus may drop It’s payload files in the following Windows directories;

  • %Janelas%
  • %Dados do aplicativo%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %temp%

Once having done that, the .rumba ransomware ma also drop it’s ransomware note file, which is believed to look like the following:

---------------- Todos os seus arquivos são criptografados ----------------

Não se preocupe, você pode retornar todos os seus arquivos!
Todos os documentos de seus arquivos, fotos, bases de dados e outros importantes são criptografados com criptografia mais forte e chave única.
O único método de recuperação de arquivos é a compra de ferramenta de descriptografar e chave única para você.
Este software vai decodificar todos os seus arquivos criptografados.
Que garantias é que vamos dar a você?
Você pode enviar um de seu arquivo criptografado a partir do seu PC e decifrá-lo de graça.
Mas só podemos descriptografar 1 arquivo de graça. Arquivo não deve conter informações valiosas
Não tente usar ferramentas de terceiros decrypt porque vai destruir seus arquivos.
Desconto 50% disponível se você contacte-nos primeiro 72 horas.

-----------------------------------------

Para obter este software você precisa escrever sobre o nosso e-mail:

Reserve endereço de e-mail em contactar-nos:

O seu ID pessoal:
[Redigido 43 caracteres alfanuméricos]

In addition to doing those activities, the .rumba files virus may also modify the Run and RunOnce Windows sub-keys on the computers of victims:

→ HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Run
HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Run
HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion RunOnce
HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion RunOnce

além disso, the .rumba files virus may also delete the shadow copies on the victim computer by running the following commands as an administrator:

→ VVS sc stop
wscsvc parada sc
parada WinDefend sc
wuauserv parar sc
BITS sc stop
sc stop ERSvc
sc stop WerSvc
cmd / C bcdedit / conjunto {padrão} recoveryenabled Não
cmd / C bcdedit / conjunto {padrão} ignoreallfailures bootstatuspolicy
C:\Windows System32 cmd.exe”/ C Vssadmin.exe Apagar Sombras / All / Quiet

.rumba Ransomware – Processo de criptografia

For the .rumba files virus to encrypt the files on the compromised computer, the ransomware virus may first do a system scan of the files themselves. This scan will allow the virus to detect only the files it is set to encrypt and these files usually turn out to be:

  • Arquivos de áudio.
  • Os arquivos de imagem.
  • tipos de arquivos de documentos.
  • Os arquivos de vídeo.
  • arquivo.
  • Virutal drives.

o .rumba files virus may begin to encrypt the files, by overwriting data blocks from their original structure. This makes the files unable to be opened and starting to appear like the image below shows:

Remove .rumba Files Virus and Try to Decrypt Your Files

If you want to remove the .rumba files virus, we suggest that you use the removal instructions underneath this article. They have been created to provide assistance to you in manually finding out and removing the malicious files of the .rumba ransowmare. But if manual removal does not seem to help, for maximume effectivness, we would suggest that you remove this virus using an anti-malware software, like most cyber-security experts would do. Such software aims to identify and delete all of the malicious objects, related to .rumba file ransomware from your computer and make sure to protect your computer in real time as well.

Felizmente, há uma descriptografia disponível para todos os arquivos, encrypted by most of the STOP ransomware variants and if the .rumba variant is part of the STOP ransomware, we would strongly recommend that you see the decryption tool for STOP ransomware if you want to restore your files. It is available on the following decryption tool link. Remember that for the decryption, you would eventually need to have one original file and it’s encrypted analogue file, so that you can decrypt all of your files this way.

Avatar

Ventsislav Krastev

Ventsislav tem vindo a cobrir o mais recente de malware, desenvolvimentos de software e mais recente tecnologia em SensorsTechForum para 3 anos. Ele começou como um administrador de rede. Formado marketing bem, Ventsislav também tem paixão pela descoberta de novas mudanças e inovações em cibersegurança que se tornam mudanças do jogo. Depois de estudar Gestão da Cadeia de Valor e, em seguida, Administração de Rede, ele encontrou sua paixão dentro cybersecrurity e é um crente forte na educação básica de cada usuário para a segurança on-line.

mais Posts - Local na rede Internet

Me siga:
Twitter

1 Comente

  1. AvatarMarcio Cassiano

    querida,
    I would like to know if already decrypted file contaminated by RUMBA, for ID: ILVB810gCvHGkaDADuTbmq3dQsdSXyZT2bsuUicnV.

    Reply

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...