BlackRuby-2 Ransomware

The BlackRuby-2 Ransomware is a new version of BlackRuby Ransomware, and, like the first edition, can mine on your PC for creating cryptocurrency or lock your files for forcing the payment of its ransom. This threat's campaign distributes the BlackRuby-2 Ransomware as an update or installer for Microsoft-brand security software, and users should be cautious about infection vectors promoting such downloads, such as a hostile website. Anti-malware programs still should delete the BlackRuby-2 Ransomware automatically, and backups and free decryptors can assist any victims with saving their files.

A New Shine on a Dark Gemstone

Although its campaign isn't ancient, the BlackRuby Ransomware is experiencing updates to its software that could increase the security of its file-locking attacks or obfuscate its identity from old threat databases. Malware experts are dubbing this variant as the BlackRuby-2 Ransomware, and it keeps both the encryption and cryptocurrency-mining features of previous note. Interestingly, the threat actors also preserve the old disguise of the Trojan's installer, which pretends to be a 'Windows Defender' download.

Besides the usual methods of the introduction of fake software to a PC, such as exploit kits, the threat actors also could be installing the BlackRuby-2 Ransomware via RDP exploits after brute-forcing their access into a target's network. When it runs, the BlackRuby-2 Ransomware uses an AES algorithm for encrypting documents and many, other types of media on the PC, which 'locks' most of the non-system file-related content. Malware experts also warn that the BlackRuby-2 Ransomware's family includes capabilities for filtering its victims, based on geographical information, and can delete local, Windows backups.

The BlackRuby-2 Ransomware also partakes of what is quickly becoming a fad among threat actors this year: running a cryptocurrency-mining application in the background. Users may surmise the presence of this activity by noting the unusual CPU usage, overheating, crashes, and system instability, for example. However, unlike the file-locking attack, which provides associated filename edits, the BlackRuby-2 Ransomware's mining feature leaves no direct evidence for the user's benefit.

Putting a Cursed Gem Back in the Ground

Although the original BlackRuby Ransomware uses a non-secure encrypting method, malware analysts can't, for now, verify whether or not the same is accurate of the new build. Backing up your files to a safe location, such as USB or cloud services, can eliminate any requirement for a decryptor, which the BlackRuby-2 Ransomware's threat actors are selling in exchange for Bitcoins. However, any users also can consider contacting an experienced cyber-security specialist for extra help with investigating all decryption possibilities and restoring any locked media, such as pictures, text files or archives.

The BlackRuby-2 Ransomware's small file size (under one megabyte) makes it suitable for being downloaded and installed by Trojan downloaders that may embed themselves inside of corrupted documents and run via macros, and similar exploits. Exploit kits on a compromised or ill-mindedly-modified website also may load drive-by-download attacks for installing this threat, and monitoring the security protocols of your network is highly relevant to this campaign's previously-notable infection vectors. Despite being an update, most anti-malware programs, still, are identifying and removing the BlackRuby-2 Ransomware.

The story of the BlackRuby-2 Ransomware continues but has no surprises for its victims, other than attacks against their files and computer hardware. Letting the cybercrooks hijack your resources for their financial benefit is easily preventable, as long as you're using the right Web-browsing precautions.