What is BlackRuby ransomware? And how does it implement its attack?
BlackRuby ransomware is a generic file-encrypting Trojan infection which includes a component for crypto-currency mining. BlackRuby ransomware is the first of its kind to install a mining component on the infected system. Another strange thing about this ransomware is that it targets all kinds of systems except if the IP address is from Iran.
Based on an analysis, BlackRuby ransomware is designed to encrypt a different kind of files such as pictures, audio, videos, documents, database, text files and so on. The enciphered objects can be recognized easily as they have generic white icons as well as the extension “Encrypted_%[random characters]%.BlackRuby”. Aside from that, this crypto-malware also drops a modified version of XMRig to mine for Monero. According to researchers, the mining component of this ransomware is most likely installed in the AppData directory of the infected system. After the encryption, it also deletes all the shadow volume copies of the affected files making it nearly impossible for victims to recover them without a decryption key or decryption software. BlackRuby then displays its ransom note in a text file named “how-to-decrypt-files.txt” which is quite long. Here’s some excerpt from the ransom note:
=== Identification Key ===
[redacted] === Identification Key ===
[Can not access your files?] Congratulations, you are now part of our family #BlackRuby Ransomware. The range of this family is wider and bigger every day.
Our hosts welcome our presence because we will give them a scant souvenir from the heart of Earth.
This time, we are guest with a new souvenir called “Black Ruby”. A ruby in black, different, beautiful, and brilliant, which has been bothered to extract those years and you must also endure this hard work to keep it. If you do not have the patience of this difficulty or you hate some of this precious stone, we are willing to receive the price years of mining and finding rubies for your relief and other people of the world who are guests of the black ruby.
So let’s talk a little bit with you without a metaphor and literary terms to understand the importance of the subject.
It does not matter if you’re a small business or you manage a large organization, no matter whether you are a regular user or a committed employee, it’s important that you have a black ruby and to get rid of it, you need to get back to the previous situation and we need the next step.
The breadth of this family is not supposed to stop because we have enough knowledge and you also trust our knowledge.
We are always your backers and guardian of your information at this multi-day banquet and be sure that no one in the world can take it from you except for us who extracts this precious stone.
We need a two-sided cooperation in developing cybersecurity knowledge. The background to this cooperation is a mutual trust, which will result in peace and tranquility, you must pay $650 (USD) worth of Bitcoins for restoring your system to the previous state and you are free to choose to stay in this situation or return to the normal.
Do not forget that your opportunity is limited. From these limits, you can create golden situations. Be sure we will help you in this way and to know that having a black ruby does not always mean riches. You and your system are poor, poor knowledge of cybersecurity and lack of security on your system!.”
Based on their ransom note, cyber crooks mentioned that they’re the only ones who can decrypt the encrypted files. Even if you’re desperate enough to pay the demanded ransom which is $650, you shouldn’t fall for their threatening message as there really is no guarantee that they’ll keep their end of the bargain once you made the payment.
How does BlackRuby ransomware spread its malicious payload?
BlackRuby ransomware spreads its malicious payload via malicious spam email campaigns. This malicious payload could be a document with macro scripts. This macro-enabled document is used to execute a command to connect the infected PC to a remote server where BlackRuby is downloaded and installed in the system.
Refer to the following removal instructions to eliminate Server ransomware from your PC.
Step1. Open the Task Manager simply by tapping Ctrl + Shift + Esc keys on your keyboard.
Step2. Under the Task Manager, go to the Processes tab and look for a process named “WINDOWSUI.exe” and other suspicious-looking processes that could be related to BlackRuby ransomware.
Step3. After that, close the Task Manager.
Step4. Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step5. Under the list of installed programs, look for BlackRuby ransomware or anything similar and then uninstall it.
Step6. Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step7. Navigate to the following locations below and look for BlackRuby ransomware’s malicious components such as [random].exe and how-to-decrypt-files.txt as well as other suspicious files and then delete all of them.
- %ALLUSERSPROFILE%\Application Data
Step8. Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step10. Navigate to the following path:
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step11. Delete the registry keys and sub-keys created by BlackRuby ransomware.
Step12. Close the Registry Editor and empty your Recycle Bin.
It is important to make sure that nothing is left behind and that BlackRuby ransomware is completely removed use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with NetServering then hit
- Windows will now load the SafeMode with NetServering.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.