How to remove Rumba virus and restore encrypted files

In the article I will try to give the most complete information about the Rumba virus, based on the STOP and DJVU ransomware. Methods of virus infection, algorithms of its work, ways to get rid of the malware and the possibility to recover files.

What is Rumba virus

Rumba extension is a new variant of STOP or DJVU ransomware. At the end of 2017, a ransomware virus appeared, which, after encryption, added the Stop extension to damaged files. On this extension, and was given the name for the virus. After this, many more modifications of the ransomware virus appeared, the difference between them was to change the extension of the file. The most recent ones are rumba, tfudet and tfude. All these extensions appeared in January 2019, and judging by the flow of new virus modifications, it can be argued with some certainty that the extortioner successfully copes with the task of earning money to their developers. The average amount of the ransom is in the region of $ 500, which, as a rule, must be transferred to the bitcoin wallet of hackers. Also characteristic of all viruses is the threat to double the ransom amount, after 72 hours. From the master's shoulder, the extortionists agree to demonstrate the work of their decryptor in one small file sent to them by e-mail. The mail address can be found in the self-starting window of the file called _openme.txt,! Readme.txt, or with names similar to it, in general, it is difficult to skip the file that wants to float literally everywhere.


---------------------------------------------- ALL YOUR FILES ARE ENCRYPTED -----------------------------------------------

Don't worry, you can return all your files!

All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.

The only method of recovering files is to purchase decrypt tool and unique key for you.

This software will decrypt all your encrypted files.

What guarantees do we give to you?

You can send one of your encrypted file from your PC and we decrypt it for free.

But we can decrypt only 1 file for free. File must not contain valuable information

Don't try to use third-party decrypt tools because it will destroy your files.

Discount 50% available if you contact us first 72 hours.


To get this software you need write on our e-mail:

helpshadow @

Reserve e-mail address to contact us:

helpshadow @

Your personal ID: ...



The mode of distribution of the extortionist is fairly standard: it is downloaded with pirated programs and cracks for games. After that, a message about updating the system appears, which in fact turns out to be false. Interestingly, the built-in Windows defender simply disables the virus.


Rumba consists of a totally legal cryptography system that encrypts all folders on customer’s workstation, so you can't utilize them in any manner. The key is encrypted too, but with another algorithm. Usually, swindlers favour RSA and AES manners, which have asserted themselves the most complex and fail-safe. The mentioned algorithms and the software based on them can be easily found in the Net, so scammers just need to create defensive mechanisms, to block an admittance to a ransomware, and make the reliable control and update pattern. Some encrypting programs just act off-line, and fraudsters know of another victim only when he approaches them and sends the funds. Other encrypting viruses are more active, and transmit data to thousands URL's, to puzzle the researchers and throw them off virus’ track.


There are several possibilities to test, prior to giving in and expecting for a decryption tool. As we said earlier, Internet-criminals make errors, and certain specialties of the operating system might serve you to recover data.


  • A backup is the single fully effective manner to get the data back, but you have to uninstall Rumba first. Ensure that Rumba is uninstalled in full, as if it’s not – all data will be corrupted one more time, with the files that were stored on a flash disc.
  • If you do not employ the Windows from an administrator's account – you're really lucky. The matter is that your OS replicates all data prior to their removal or change. Those files are known as the Shadow Volume Copies, and the malware knows how to eliminate them. If you're working from the user's profile – the system asks for a confirmation at the exact second Rumba attempts to delete these copies. In case you've seen such window and ignored it – your copies are secure, and might be used to recover the data.


In case you revised all these opportunities and you have no way to get back your data – you should remove Rumba from your computer and wait until a decryption software will be published.

How to remove Rumba

I decided to publish with the article the general steps to remove the virus, but when dealing specifically with this extortionist, even experts give in, so if you are inexperienced, use caution. Decryption tips will be lower.

Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


We suggest you to try Spyhunter anti-viral software which is not simply effective, but also modern and constantly advancing program which is able to clean your system of all harmful programs. Click the link below to buy it and uninstall Rumba.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program. More information about Spyhunter, EULA and Privacy policy.


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files

On restoration: as I have already said, there is no decryptor. If you do not have backup files, then there is not much chance of recovery. From the really working programs, you can try Recuva and ShadwExplorer. They are not the most intuitive interface, but you can figure it out quickly. If you are very lucky, the virus did not kill copies of files from the Windows archive, provided that the archiving was configured. You can restore it in the following way:

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 0.00 [0 Votes]

You have no rights to post comments



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience