BlackRuby Ransomware

The BlackRuby Ransomware is a file-locking Trojan that's capable of preventing you from opening different formats of media with encryption. This threat appears to circulate itself as fake Windows software, and, like most Trojans of its type, also creates instructions asking for money before restoring the data that it holds hostage. Malware experts recommend remaining attentive to possible infection vectors, like illegitimate Windows update-themed pop-ups, and having anti-malware programs for uninstalling the BlackRuby Ransomware in safety.

A Toxic Ruby Embedded in Supposed Security Software

Threat actors are continuing to 'double-dip' with their Trojans by including independent, drop-suitable components or modules that conduct additional attacks of a nature wholly disparate from that of the original payload. This strategy of maximizing the damage and profit from any infection is well-exemplified with the BlackRuby Ransomware, a threat that tries to collect ransom money while using the victim's hardware for cash-generating purposes simultaneously. Encryption and cryptocurrency mining is, once again, the technical foundation of all the BlackRuby Ransomware infections.

Distribution exploits for the BlackRuby Ransomware campaign promote it as being an independently downloadable version of the Windows Defender, a Microsoft anti-malware program. The BlackRuby Ransomware uses a moderately non-secure encryption routine for blocking different types of data, such as movies, audio clips, pictures or text documents silently and nonconsensually. Malware experts found an exception to this feature, for compromised PCs with Iran-based IP addresses, which may be a self-defensive legal consideration on the part of the Trojan's makers.

The BlackRuby Ransomware also drops the XMRig program onto the PC so that it can generate the Bitcoin cryptocurrency through its hardware, similarly to the RubyMiner Trojan. Unrestrained cryptocurrency mining activities can shorten the lifespan of individual pieces of hardware, such as the GPU or CPU, and cause significant performance and quality-life issues, such as overheating. Neither this feature nor the encryption routine displays an interface for the victim, or any overt startup symptoms, although any already-locked content possesses a '.blackruby' extension.

Dimming the Luster of a Thieving Gemstone

The BlackRuby Ransomware asks for hundreds of dollars in Bitcoins, via instructions it conveys through a Notepad file, to unlock all the encrypted files. Despite its preferences, since the Trojan uses an imperfectly secure encryption algorithm, even victims without backups should find recovery possible with the help of experienced malware researchers. Malware experts also suggest keeping backups, regardless, due to the risk of an updated BlackRuby Ransomware or a variant of it using a less decryptable data-locking method than its current one.

Fake versions of the Windows Defender could install themselves from an EK like the Nebula Exploit Kit or Blacole, which, normally, loads from a hacked or corrupted domain. They also are potentially deliverable from compromised advertising networks loading fake update alerts. Anti-malware software with browser-based features should block many of these attacks. Updating your software also fully reduces the number of vulnerabilities available for threat actors to exploit, and many anti-malware programs always should delete the BlackRuby Ransomware upon detecting it.

The BlackRuby Ransomware has a few, interesting traits that make it worth study for malware experts, who don't relate it to traditional file-locking Trojans like the Jigsaw Ransomware, the Globe Ransomware, or Hidden Tear. However, for at-risk PC owners, its most relevant characteristic is the fact that its file-locking security is a total bluff.