Threat Database Ransomware Curumim Ransomware

Curumim Ransomware

Threat Scorecard

Ranking: 17,114
Threat Level: 20 % (Normal)
Infected Computers: 298
First Seen: February 7, 2019
Last Seen: June 21, 2023
OS(es) Affected: Windows

The Curumim Ransomware is an encryption ransomware Trojan that was first observed on November 4, 2017. The Curumim Ransomware is based on HiddenTear, an open source ransomware platform first released in August 2015. Since its release, HiddenTear has been the basis for countless ransomware Trojans, including the Curumim Ransomware itself. The Curumim Ransomware targets computer users in Portuguese-speaking regions, particularly in Brazil. The Curumim Ransomware is identical in its attack to the countless other HiddenTear variants that are active today. Victims of the Curumim Ransomware attack are asked to contact the cybercrooks at the email address o carry out payment.

This Little Guy can Cause a Lot of Problems

The purpose of the Curumim Ransomware, just like most encryption ransomware Trojans, is to take the victim's files hostage. To do this, the Curumim Ransomware uses the AES encryption to make the victim's files inaccessible. Once the victim's files are no longer accessible, the Curumim Ransomware delivers a ransom note that demands the payment of a ransom. The Curumim Ransomware targets the user-generated files in its attack, while avoiding the Windows system files since threats like the Curumim Ransomware need Windows to remain functional so that the victim can read the ransom note and carry out the payment. The Curumim Ransomware will encrypt a wide variety of files in its attack. The examples of the file extensions that the Curumim Ransomware will search for during its attack include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The Curumim Ransomware identifies the files encrypted by the attack by adding the file extension '.curumim' at the end of each affected file' name. This word, 'curumim,' seems to translate from the Brazilian Portuguese into 'young Indian,' and the Curumim Ransomware includes a picture of a cartoon native in its ransom note.

How the Curumim Ransomware Demands Payment from the Victims of the Attack

The Curumim Ransomware delivers its ransom note after encrypting the victim's files. The Curumim Ransomware will change the infected PC's desktop image into a black screen with a red text and a cartoon image of a Native South American child. Victims of the attack will receive the following message written in Portuguese:

'Seus arquivos estao criptografados!
Voce tem apenas 1 Dia
Para entrar em contato ou seus arquivos serao totalmente perdidos!'

The translation into English of the above text reads:

'Your files are encrypted!
You only have 1 day
To get in touch or your files will be totally lost!'

Dealing with a Curumim Ransomware Infection

Unfortunately, the Curumim Ransomware and other HiddenTear variants use a strong encryption method that makes it impossible to restore the files encrypted by the attack. This is why computer users should avoid following the instructions in the Curumim Ransomware's ransom note or communicating with the people responsible for this attack in any way; it is very unlikely that these people will help computer users restore their files, and they may demand ransom amounts that are quite elevated. Paying it, regardless of the result, is what allows the con artists to continue developing and creating new threats like the Curumim Ransomware. Instead of paying the ransom, computer users are advised to take preventive measures by establishing good file backup procedures on the cloud or an external memory device.


Curumim Ransomware may call the following URLs:


Most Viewed