Curumim Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 17,114 |
Threat Level: | 20 % (Normal) |
Infected Computers: | 298 |
First Seen: | February 7, 2019 |
Last Seen: | June 21, 2023 |
OS(es) Affected: | Windows |
The Curumim Ransomware is an encryption ransomware Trojan that was first observed on November 4, 2017. The Curumim Ransomware is based on HiddenTear, an open source ransomware platform first released in August 2015. Since its release, HiddenTear has been the basis for countless ransomware Trojans, including the Curumim Ransomware itself. The Curumim Ransomware targets computer users in Portuguese-speaking regions, particularly in Brazil. The Curumim Ransomware is identical in its attack to the countless other HiddenTear variants that are active today. Victims of the Curumim Ransomware attack are asked to contact the cybercrooks at the email address lordashadow@gmail.com o carry out payment.
Table of Contents
This Little Guy can Cause a Lot of Problems
The purpose of the Curumim Ransomware, just like most encryption ransomware Trojans, is to take the victim's files hostage. To do this, the Curumim Ransomware uses the AES encryption to make the victim's files inaccessible. Once the victim's files are no longer accessible, the Curumim Ransomware delivers a ransom note that demands the payment of a ransom. The Curumim Ransomware targets the user-generated files in its attack, while avoiding the Windows system files since threats like the Curumim Ransomware need Windows to remain functional so that the victim can read the ransom note and carry out the payment. The Curumim Ransomware will encrypt a wide variety of files in its attack. The examples of the file extensions that the Curumim Ransomware will search for during its attack include:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
The Curumim Ransomware identifies the files encrypted by the attack by adding the file extension '.curumim' at the end of each affected file' name. This word, 'curumim,' seems to translate from the Brazilian Portuguese into 'young Indian,' and the Curumim Ransomware includes a picture of a cartoon native in its ransom note.
How the Curumim Ransomware Demands Payment from the Victims of the Attack
The Curumim Ransomware delivers its ransom note after encrypting the victim's files. The Curumim Ransomware will change the infected PC's desktop image into a black screen with a red text and a cartoon image of a Native South American child. Victims of the attack will receive the following message written in Portuguese:
'Seus arquivos estao criptografados!
Voce tem apenas 1 Dia
Para entrar em contato ou seus arquivos serao totalmente perdidos!
lordashadow@gmail.com'
The translation into English of the above text reads:
'Your files are encrypted!
You only have 1 day
To get in touch or your files will be totally lost!
lordashadow@gmail.com'
Dealing with a Curumim Ransomware Infection
Unfortunately, the Curumim Ransomware and other HiddenTear variants use a strong encryption method that makes it impossible to restore the files encrypted by the attack. This is why computer users should avoid following the instructions in the Curumim Ransomware's ransom note or communicating with the people responsible for this attack in any way; it is very unlikely that these people will help computer users restore their files, and they may demand ransom amounts that are quite elevated. Paying it, regardless of the result, is what allows the con artists to continue developing and creating new threats like the Curumim Ransomware. Instead of paying the ransom, computer users are advised to take preventive measures by establishing good file backup procedures on the cloud or an external memory device.
URLs
Curumim Ransomware may call the following URLs:
wwmnnl.com |