Remove Rumble Crypt Ransomware and Restore Encrypted Files - How to, Technology and PC Security Forum |

Remove Rumble Crypt Ransomware and Restore Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

rumble-crypt-ransomware-file-encryption-sensorstechforum-mainA researcher at Fortinet Security has discovered a new ransomware variant, called Rumble Crypt. The virus has been reported to have a payment page which is Tor-based, which points out to the possibility that it is already up and running. Rumble Crypt aims only for one – to infect the maximum amount of users and encrypt their files using a strong encryption algorithm. The encrypted files can no longer be opened with any program, and the only 100 percent working way remains to be the receiving of a decryption key from cyber-criminals after paying the ransom amount and contacting the cyber-criminals. Malware research experts strongly advise infected users not to pay the ransom. Instead, you may remove it yourself and try alternative methods to recover your files by using the information in this article.

Threat Summary


Rumble Crypt

Short DescriptionThe malware encrypts users’ files, dropping ransom message as a text and an .HTML file.
SymptomsThe user may witness ransom messages and “instructions” and a sound message all linking to a web page and a decryptor.
Distribution MethodVia an Exploit kit.
Detection Tool See If Your System Has Been Affected by Rumble Crypt


Malware Removal Tool

User ExperienceJoin our forum to Discuss Rumble Crypt Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Rumble Crypt Ransomware – Distribution

To be widespread, Rumble Crypt’s hacking team may use spamming software in combination with other tools that may spread the malicious files via redirects to hazardous web links or even malicious e-mail attachments. The spam messages usually include obfuscated executables that are mainly focused on being activated while remaining hidden and hence bypassing any firewalls and other real-time protection.

The e-mails may contain different subjects and content that usually aims to be as convincing as possible, for example:


Rumble Crypt Ransomware – More Information

As soon as Rumble Crypt has been installed on your computer, the ransomware may drop it’s payload which may consist of different type of files:

  • (.exe) – an executable file that is the main module of the ransomware and may modify the registry entries of the user PC as well as change wallpapers and encrypt files.
  • (.bat) – a batch file which may exist to simply delete the volume shadow copies on the computer of the user PC by using the following command:
  • → vssadmin delete shadows /for={Drive Volume} /all /quiet

  • (.vbs) – script that may copy, display and change different information on the computer and either display it to the user or the cyber-criminals.
  • (.tmp) – temporary files for infection.
  • (.dll) – dll support modules.
  • The malicious files may be located in the usually targeted Windows folders which are:

    • %AppData%
    • %System%
    • %Roaming%
    • %SystemDrive%
    • %Temp%
    • %Local%
    • %LocalRow%

    After the files are done, the ransomware may modify the Windows Registry Editor so that these executables are ran automatically when Windows boots up. The usually targeted registry keys are the below-mentioned:

    → (key)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run(key)
    (key)HKEY_LOCAL_MACHINE \Software\Microsoft\ Windows\CurrentVersion\RunServices(key)
    (key)HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion \Winlogon\Userinit(key)
    (key)HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\RunOnce(key)
    (key)HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\RunServices(key)
    (key)HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce(key)
    (key)HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows(key)

    After its malicious files run on startup, the encryption process started by Rumble Crypt begins. This virus looks for widely used types of files which are usually:

    • Videos.
    • Audio files.
    • Databases.
    • Photoshop files.
    • Microsoft Office documents.
    • Files associated with other often used software.

    After encryption, the data enciphered by Rumble Crypt ransomware become utterly useless. Rumble Crypt may also add a file extension that is random or corresponds to its name after the original file extension. The virus may use either AES or RSA encryption algorithms that generate a unique key which is sent to the cyber-criminals’ command and control servers.

    The virus then drops a ransom note as a text file and an .HTML file which leads to the following web page:


    Rumble Crypt Ransomware – Conclusion, Removal, File Restoration

    Judging by the ransom note of this virus, Rumble Crypt ransomware is primarily oriented into using Tor networking to communicate with its victims. It also uses the e-mail address for a so-called “customer support” by the cyber-crooks. Experts strongly advise that this virus should immediately be removed from any infected computer instead of paying ransom money in BitCoin to cyber-criminals that may or may not deliver.

    To remove Rumble Crypt ransomware, we strongly advise you to follow the step-by-step instructions below and use the information in this article to look for the malicious files and other objects dropped on your computer b Rumble Crypt ransomware virus. Furthermore, experts strongly advise users to download an advanced anti-malware program for several good reasons. One of them is that this is a significantly increased protection against ransomware and the other more important reason is that it will automatically and swiftly detect and remove Rumble Crypt ransomware from your computer.

    To attempt file restoration, we advise you to attempt the steps from section “3. Restore files encrypted by Rumble Crypt” while researchers release a decryptor which we will post in this article as an update.


    Ventsislav Krastev

    Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

    More Posts - Website

    Follow Me:

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Time limit is exhausted. Please reload CAPTCHA.

    Share on Facebook Share
    Share on Twitter Tweet
    Share on Google Plus Share
    Share on Linkedin Share
    Share on Digg Share
    Share on Reddit Share
    Share on Stumbleupon Share