Remove Rumble Crypt Ransomware and Restore Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Rumble Crypt Ransomware and Restore Encrypted Files

rumble-crypt-ransomware-file-encryption-sensorstechforum-mainA researcher at Fortinet Security has discovered a new ransomware variant, called Rumble Crypt. The virus has been reported to have a payment page which is Tor-based, which points out to the possibility that it is already up and running. Rumble Crypt aims only for one – to infect the maximum amount of users and encrypt their files using a strong encryption algorithm. The encrypted files can no longer be opened with any program, and the only 100 percent working way remains to be the receiving of a decryption key from cyber-criminals after paying the ransom amount and contacting the cyber-criminals. Malware research experts strongly advise infected users not to pay the ransom. Instead, you may remove it yourself and try alternative methods to recover your files by using the information in this article.

Threat Summary

Name

Rumble Crypt

TypeRansomware
Short DescriptionThe malware encrypts users’ files, dropping ransom message as a text and an .HTML file.
SymptomsThe user may witness ransom messages and “instructions” and a sound message all linking to a web page and a decryptor.
Distribution MethodVia an Exploit kit.
Detection Tool See If Your System Has Been Affected by Rumble Crypt

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Rumble Crypt Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Rumble Crypt Ransomware – Distribution

To be widespread, Rumble Crypt’s hacking team may use spamming software in combination with other tools that may spread the malicious files via redirects to hazardous web links or even malicious e-mail attachments. The spam messages usually include obfuscated executables that are mainly focused on being activated while remaining hidden and hence bypassing any firewalls and other real-time protection.

The e-mails may contain different subjects and content that usually aims to be as convincing as possible, for example:

rumble-crypt-spam-email-ransomware-sensorsechforum

Rumble Crypt Ransomware – More Information

As soon as Rumble Crypt has been installed on your computer, the ransomware may drop it’s payload which may consist of different type of files:

  • (.exe) – an executable file that is the main module of the ransomware and may modify the registry entries of the user PC as well as change wallpapers and encrypt files.
  • (.bat) – a batch file which may exist to simply delete the volume shadow copies on the computer of the user PC by using the following command:
  • → vssadmin delete shadows /for={Drive Volume} /all /quiet

  • (.vbs) – script that may copy, display and change different information on the computer and either display it to the user or the cyber-criminals.
  • (.tmp) – temporary files for infection.
  • (.dll) – dll support modules.
  • The malicious files may be located in the usually targeted Windows folders which are:

    • %AppData%
    • %System%
    • %Roaming%
    • %SystemDrive%
    • %Temp%
    • %Local%
    • %LocalRow%

    After the files are done, the ransomware may modify the Windows Registry Editor so that these executables are ran automatically when Windows boots up. The usually targeted registry keys are the below-mentioned:

    → (key)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run(key)
    (key)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce(key)
    (key)HKEY_LOCAL_MACHINE \Software\Microsoft\ Windows\CurrentVersion\RunServices(key)
    (key)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce(key)
    (key)HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion \Winlogon\Userinit(key)
    (key)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run(key)
    (key)HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\RunOnce(key)
    (key)HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\RunServices(key)
    (key)HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce(key)
    (key)HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows(key)

    After its malicious files run on startup, the encryption process started by Rumble Crypt begins. This virus looks for widely used types of files which are usually:

    • Videos.
    • Audio files.
    • Databases.
    • Photoshop files.
    • Microsoft Office documents.
    • Files associated with other often used software.

    After encryption, the data enciphered by Rumble Crypt ransomware become utterly useless. Rumble Crypt may also add a file extension that is random or corresponds to its name after the original file extension. The virus may use either AES or RSA encryption algorithms that generate a unique key which is sent to the cyber-criminals’ command and control servers.

    The virus then drops a ransom note as a text file and an .HTML file which leads to the following web page:

    rumblecrypt-ransomware-main-sensorstechforum-ransom-note

    Rumble Crypt Ransomware – Conclusion, Removal, File Restoration

    Judging by the ransom note of this virus, Rumble Crypt ransomware is primarily oriented into using Tor networking to communicate with its victims. It also uses the e-mail address rumblecrypt@rediffmail.com for a so-called “customer support” by the cyber-crooks. Experts strongly advise that this virus should immediately be removed from any infected computer instead of paying ransom money in BitCoin to cyber-criminals that may or may not deliver.

    To remove Rumble Crypt ransomware, we strongly advise you to follow the step-by-step instructions below and use the information in this article to look for the malicious files and other objects dropped on your computer b Rumble Crypt ransomware virus. Furthermore, experts strongly advise users to download an advanced anti-malware program for several good reasons. One of them is that this is a significantly increased protection against ransomware and the other more important reason is that it will automatically and swiftly detect and remove Rumble Crypt ransomware from your computer.

    To attempt file restoration, we advise you to attempt the steps from section “3. Restore files encrypted by Rumble Crypt” while researchers release a decryptor which we will post in this article as an update.

    Manually delete Rumble Crypt from your computer

    Note! Substantial notification about the Rumble Crypt threat: Manual removal of Rumble Crypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

    1. Boot Your PC In Safe Mode to isolate and remove Rumble Crypt files and objects
    2. Find malicious files created by Rumble Crypt on your PC
    3. Fix registry entries created by Rumble Crypt on your PC

    Automatically remove Rumble Crypt by downloading an advanced anti-malware program

    1. Remove Rumble Crypt with SpyHunter Anti-Malware Tool
    2. Back up your data to secure it against infections and file encryption by Rumble Crypt in the future
    3. Restore files encrypted by Rumble Crypt
    Optional: Using Alternative Anti-Malware Tools

    Vencislav Krustev

    A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

    More Posts - Website

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Time limit is exhausted. Please reload CAPTCHA.

    Share on Facebook Share
    Loading...
    Share on Twitter Tweet
    Loading...
    Share on Google Plus Share
    Loading...
    Share on Linkedin Share
    Loading...
    Share on Digg Share
    Share on Reddit Share
    Loading...
    Share on Stumbleupon Share
    Loading...
    Please wait...

    Subscribe to our newsletter

    Want to be notified when our article is published? Enter your email address and name below to be the first to know.