BlackRuby-2 Ransomware

BlackRuby-2 Ransomware is a new variant of the BlackRuby ransomware that was uncovered earlier this year. Both versions were created to encrypt files and demand a ransom from the victims. The original version demanded a set price of $650, but the current version does not reveal a specific price via the ransom note that is created after the encryption of files. Most likely, the price is revealed to every victim individually as they contact the creator of the infection using a specified email address. To some, the sum of the ransom might appear to be small enough to pay, but there is one thing that everyone needs to think about: Cyber criminals cannot be trusted. Even if they promise to provide you with decryption software and a private key, most likely, all promises are empty, and you will not gain anything from paying the ransom. This is the main reason you should remove BlackRuby-2 Ransomware from your operating system without even contacting cyber criminals first. Of course, you can do whatever you want, but make sure you act carefully so as not to create even more problems for yourself.

It was discovered that BlackRuby-2 Ransomware does not attack operating systems that are located in Afghanistan, Armenia, Azerbaijan, Iran, Iraq, Pakistan, Turkey, or Turkmenistan. Although the threat might invade the computer, it will not encrypt anything if the IP address comes from any of these regions, and that implies that the creator of the ransomware might be located in one of the countries or that they have more specific targets. Unsecure RDP connections are most likely to be exploited by the malicious BlackRuby-2 Ransomware, but other security backdoors could be used to invade operating systems too. In any case, the threat should slither in silently, and it should initiate malicious processes without alerting the owner of the infected system. That is the only way for the ransomware to encrypt files and make a request for a ransom successfully. Once files are encrypted, they can be identified easily by looking for the “Encrypted_RandomString%.BlackRuby2” extension attached to the original names. The files with these extensions are corrupted, and, unfortunately, you cannot decrypt them by removing the extension. You cannot free them by deleting the ransomware either.

BlackRuby-2 Ransomware uses a file named “HOW-TO-DECRYPT-files.txt” to inform its victims that their files were corrupted and that they need to perform several steps to obtain a program called “Black Ruby Decryptor” along with a private key that enables decryption. The ransom note is very long, and the information is meant to push the victim into thinking that there is nothing for them to do but pay the ransom. According to the “[HOW TO DECRYPT FILES]” section, the victim must send an ID along with two encrypted files to BlackRuby@Tutanota.com or via TheBlackRuby@Torbox3uiot6wchz.onion on the Tor Browser. After that, they should be sent payment-related information so that they could transfer the ransom. After this, Black Ruby Decryptor should become available, but, as we discussed already, it is risky to rely the promises made by cyber criminals. Even communicating with cyber criminals via email could be dangerous because they could send malicious files, as well as disclose the recorded email address to other malicious parties.

The removal of BlackRuby-2 Ransomware is important, and the sooner you get rid of this malicious threat, the better. It is easiest to install a legitimate anti-malware program to have the threat erased automatically. Of course, this program serves a more important purpose as well, which is to keep the operating system protected in the future. Besides setting up a trustworthy security system, you also need to be more careful yourself. Do not leave remote connection portals open for exploitation, and do not forget to back up your personal files. Unfortunately, if you find out that you need to delete BlackRuby-2 Ransomware from your PC, the chances are that you also need to delete a Monero miner called “XMRig,” which is silently downloaded by the ransomware. This threat can use up your system’s resources, which could make it run insufferably slowly. If you employ anti-malware software, this unwanted piece will be eliminated automatically as well; however, if you choose to clean the system manually, do not forget the miner!

BlackRuby-2 Ransomware Removal

1. Launch Windows Explorer by tapping keys Win+R.
2. Move to %WINDIR%\SysWOW64\ (or %WINDIR%\System32\).
3. Delete the folder named BlackRuby.
4. Delete all copies of the file named HOW-TO-DECRYPT-files.txt.
5. Install a trusted malware scanner.
6. Perform a full system scan and if any threats remain active, delete them ASAP.