Rumba Ransomware


Systems Affected

All versions of Windows including Windows 7, Windows 8.1 and Windows 10

Threat Level



Rumba is a ransomware that restricts access to your data by encrypting files and then attempts to extort money from victims by asking for "ransom", in form of Bitcoin cryptocurrency, in exchange for access to data.


The Rumba ransomware is distributed via spam email containing infected attachments or by exploiting vulnerabilities in the operating system and installed software. Majority of the reported incidents claims the ransomware hid behind freeware such as free video editing software, as well as corrupted links and torrents. It can also pretend to be a fake system or program update. Also, it can use spam emails that seems legitimate on the surface to deceive the victims, supposedly, the email may be from a well-known company. The contents urge you to click a link or download an attachment.
Once Rumba ransomware is installed on your computer it will create a random named executable in the %AppData% or %LocalAppData% folder. This executable will be launched and begin to scan all the drive letters on your computer for data files to encrypt. The Rumba ransomware searches for files with certain file extensions to encrypt. The files it encrypts include important productivity documents and files such as .doc, .docx, .xls, .pdf, among others. The Rumba ransomware changes the name of each encrypted file to the .Rumba format.
Once your files are encrypted, the ransomware will create the _openme.txt ransom note in each folder that a file has been encrypted and on the Windows desktop. These files will contain the instructions on how to contact the cyber criminals and get your files back.


Once infected with the ransomware, users will lose access to their files and documents. All the files will be encrypted and to recover the files victims supposed to submit the payment and get the decryption key.

Solution/ Workarounds

  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.



The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.