BlackRuby Ransomware

Also Known As: BlackRuby virus
Distribution: Low
Damage level: Severe

BlackRuby ransomware removal instructions

What is BlackRuby?

BlackRuby is a ransomware-type virus first discovered by MalwareHunterTeam. Immediately after infiltration, BlackRuby encrypts most stored files and renames them using the "ENCRYPTED_[random_characters_and_digits].BlackRuby" pattern. For instance, "1.jpg" might be renamed to a filename such as "Encrypted_zIX2dFXFt9qNfifBu1mqkNVYTX79ZS48TWWU5BRm3Q.BlackRuby". Henceforth, files become unusable and indistinguishable. Following successful encryption, BlackRuby creates a text file ("how-to-decrypt-files.txt"), placing a copy in every existing folder.

BlackRuby has a number of interesting features that are uncommon to most ransomware-type viruses. Firstly, it checks the victim's IP address to detect the location. If the location is Iran, files will not be encrypted. Furthermore, BlackRuby infiltrates a XMRig tool used to exploit system resources to mine Monero cryptocurrency (you can read more about cryptocurrency-mining malware here). Therefore, system performance is significantly reduced. The new text file informs victims of the encryption and provides further instructions about how to restore files. It is stated that decryption requires a unique key - unfortunately, this information is correct. Although it is currently unknown whether BlackRuby uses symmetric or asymmetric cryptography, file decryption without a key (generated uniquely for each victim) is impossible. Criminals hide these keys on a remote server. Therefore, to receive a key and a decryption tool, victims must pay a ransom of $650 in the Bitcoin cryptocurrency. Furthermore, ransomware developers often ignore victims, after the ransoms are paid. Therefore, paying typically gives no positive result and users might be scammed. As well as losing their money, users will support cyber criminals' malicious businesses. For these reasons, never attempt to contact these people or pay any ransom. Unfortunately, there are no tools capable of file decryption compromised by BlackRuby ransomware. Therefore, your files and system can only be restored using a backup.

Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:

BlackRuby decrypt instructions

This malware is virtually identical to dozens of other ransomware-type viruses, including Payerranso, LOCKME, AAC, and GANDCRAB. Although these viruses are developed by different cyber criminals, they have identical behavior. All encrypt files and make ransom demands. Research shows that in most cases, ransomware-type viruses have just two major differences: 1) cost of decryption, and; 2) type of encryption algorithm used. Unfortunately, most employ algorithms (such as RSA, AES, etc.) that generate unique decryption keys. Therefore, unless the malware is not fully developed or has certain bugs/flaws (for instance, the key is hard-coded, stored locally, or similar), restoring files without involvement of developers (contacting these people is not recommended) is impossible. Ransomware-type viruses present a strong case for maintaining regular data backups. Bear in mind, however, that backup files must be stored on a remote server or unplugged external storage, otherwise they will be encrypted just as other regular files.

How did ransomware infect my computer?

Ransomware-type viruses are proliferated in various ways, however, the most popular five are: 1) spam emails; 2) P2P [peer-to-peer] networks; 3) unofficial download sources; 4) fake software update tools, and; 5) trojans. Spam emails often contain malicious attachments (e.g., JavaScript files, MS Office documents, etc.) that, once opened, download and install malware. P2P networks (eMule, torrents, etc.) and other third party download sources (freeware download websites, free file hosting websites, etc.) proliferate malware by presenting it as legitimate software. Users inadvertently download and install malware. Fake software updaters exploit outdated software bugs/flaws to infect the system. In some cases, these tools download viruses rather than software updates. Trojans are the simplest ones - they open "gates" for other viruses to infiltrate the system.

How to protect yourself from ransomware infections?

The main reasons for computer infections are poor knowledge and careless behavior. The key to safety is caution. Therefore, to prevent ransomware infections, be very careful when browsing the Internet. Never open files received from suspicious email addresses. You are strongly advised to download your applications from official sources only, using direct download links. Third party downloaders/installers often include ("bundle") rogue apps and, thus, these tools should not be used. Keep installed software updated and use a legitimate anti-virus/anti-spyware suite, however, since criminals proliferate malware via fake updaters, we advise you to use implemented update functionality or tools provided by the official developer only.

Text presented in BlackRuby ransomware text file ("how-to-decrypt-files.txt"):

=== Identification Key ===
-
=== Identification Key ===


[Can not access your files?]

Congratulations, you are now part of our family #BlackRuby Ransomware. The range of this family is wider and bigger every day.
Our hosts welcome our presence because we will give them a scant souvenir from the heart of Earth.

This time, we are guest with a new souvenir called "Black Ruby". A ruby in black, different, beautiful, and brilliant, which has been bothered to extract those years and you must also endure this hard work to keep it. If you do not have the patience of this difficulty or you hate some of this precious stone, we are willing to receive the price years of mining and finding rubies for your relief and other people of the world who are guests of the black ruby.

So let's talk a little bit with you without a metaphor and literary terms to understand the importance of the subject.
It does not matter if you're a small business or you manage a large organization, no matter whether you are a regular user or a committed employee, it's important that you have a black ruby and to get rid of it, you need to get back to previous situation and we need a next step.

The breadth of this family is not supposed to stop, because we have enough knowledge and you also trust our knowledge.

We are always your backers and guardian of your information at this multi-day banquet and be sure that no one in the world can take it from you except for us who extracts this precious stone.
We need a two-sided cooperation in developing cybersecurity knowledge. The background to this cooperation is a mutual trust, which will result in peace and tranquility, you must pay $650 (USD) worth of Bitcoins for restore your system to the previous state and you are free to choose to stay in this situation or return to the normal.

Do not forget that your opportunity is limited. From these limits you can create golden situations. Be sure we will help you in this way and to know that having a black ruby does not always mean riches. You and your system are poor, poor knowledge of cybersecurity and lack of security on your system!.


===============
[HOW TO DECRYPT FILES]
1. Copy "Identification Key".
2. Send this key with two encrypted files (less than 5 MB) for trust us to email address "TheBlackRuby@Protonmail.com".
3. We decrypt your two files and send them to your email.
4. After ensuring the integrity of the files, you must pay $650 (USD) with bitcoin and send transaction code to our email, our bitcoin address is "19S7k3zHphKiYr85T25FnqdxizHcgmjoj1".
5. You get "Black Ruby Decryptor" Along with the private key of your system.
6. Everything returns to the normal and your files will be released.
===============


[What is encryption?]

Encryption is a reversible modification of information for security reasons but providing full access to it for authorised users.
To become an authorised user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an "Personal identification Key". But not only it. It is required also to have the special decryption software (in your case "Black Ruby Decryptor" software) for safe and complete decryption of all your files and data.

[Everything is clear for me but what should I do?]

The first step is reading these instructions to the end. Your files have been encrypted with the "Black Ruby Ransomware" software; the instructions ("how-to-decrypt-files.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the internet the words the "Black Ruby Ransomware" where they find a lot of ideas, recommendation and instructions, it is necessary to realise that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.

[Have you got advice?]

[*** Any attempts to get back you files with the third-party tools can be fatal for your encrypted files ***]
The most part of the tried-party software change data with the encrypted files to restore it but this cases damage to the files.
Finally it will be impossible to decrypt your files, when you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realise that any intervention of the third-party software to restore files encrypted with the Black Ruby Ransomware" software may be fatal for your files.

If you look through this text in the internet and realise that something is wrong with your files but you do not have any instructions to restore your files, please contact your antivirus support.

Screenshot of files encrypted by BlackRuby ("ENCRYPTED_[random_characters_and_digits].BlackRuby" filename pattern):

Files encrypted by BlackRuby

BlackRuby ransomware removal:

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the BlackRuby virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.


Download remover for BlackRuby virus
1) Download and install   2) Run system scan   3) Enjoy your clean computer!

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Reimage.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the BlackRuby ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining BlackRuby ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of BlackRuby are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by BlackRuby, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant group policy objects into the registry to block rogue programs such as BlackRuby ransomware.

Note that Windows 10 Fall Creators Update includes a "Controlled Folder Access" feature that blocks ransomware attempts to encrypt your files. By default, this feature automatically protects files stored in the Documents, Pictures, Videos, Music, Favorites as well as Desktop folders.

Controll Folder Access

Windows 10 users should install this update to protect their data from ransomware attacks. Here is more information on how to get this update and add an additional protection layer from ransomware infections.

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove BlackRuby ransomware: