BlackRuby ransomware - How to remove

BlackRuby ransomware virus has been detected on 6th of February, 2018. In addition to encrypting data with AES algorithm, the virus also infects people with XMRig crypto-miner. Since miners have advanced enough and are detected daily, we are not surprised that Ransomware developers attempt to make money thru this strategy as well. Therefore, even if victims do not pay the demanded ransoms, hackers will be able to profit from the generation of cryptocurrencies.

BlackRuby crypto-virus will damage your files and require $650 dollars

BlackRuby ransomware will transform digital files into executables that you won’t be able to recognize. Damaged data will no longer have its original name. Instead, they all are going to be named: Encrypted_[random letters and numbers].BlackRuby. Therefore, finding all encoded data won’t be a problem, but their recovery might be.

BlackRuby ransomware

Surprisingly, BlackRuby crypto-malware does not appear to target people from Iran. If user’s IP determines that the infected computer is operated by a person from Iran, ransomware won’t encrypt digital data and will probably self-destruct. This could be clue that hackers, responsible for this ransomware infection, are from Iran and they do not wish to infect their fellow citizens. ApolloLocker virus is also one of the infections that refuses to infect people from a selected country.

BlackRuby virus is a curious case because of its awfully friendly ransom message. It begins by hackers congratualing the victim for becoming “a part of your family #BlackRuby ransomware”. Crooks use metaphors, confusing language, and wishes from victims to developer “mutual trust”. These words, coming from devious hackers, ready to encrypt your digital files, sound wrong.

After babbling about random stuff, hackers indicate that in order to decrypt their files, they have to contact [email protected] email address. Victims are supposed to send their identification keys and two encrypted files. Crooks promise to recover these two executables in order to ensure that they indeed can decrypt data. In exchange of decryption of all digital files, hackers require 650 dollars, sent thru bitcoin payment system. This equals approximately 0.07612 BTC.

BlackRuby ransomware

We always discourage people from paying the demanded ransoms (Reasons not to pay up in a ransomware attack). While the hackers behind BlackRuby virus might seem nice from the HOW-TO-DECRYPT-FILES.txt message, but they are only pretending.

Files that the BlackRuby virus has damaged might be recovered

Even though we are not always lucky enough to state that a ransomware virus is decryptable, BlackRuby malware appears to be an exception. Michael Gillespie has explained that it might be possible to recover the damaged data. All you have to do is contact this security researchers and ask for assistance.

Sadly, free file-recovery is not always possible. In order not to depend on ransomware being weak, you should store your digital files in backup storages. After this, crypto-malware will no longer pose a threat to your cyber security.

Of course, on certain occasions universal file-recovery tools are able to restore some percentage of the encrypted data, but not always. Furthermore, Shadow Volume Copies are also deleted by most of the new ransomware variants.

How does this BlackRuby ransomware infect your computer?

It appears that BlackRuby ransomware is delivered as a defender.exe file. It actually pretends to be a Microsoft Windows Defender tool which should not be considered malicious. However, this version is, and it brings the file-encrypting virus. The malicious Defender could be found in random file-sharing websites. In addition to this, you might receive this file in your email account. Whatever you do, do not click on links or download files from letters, sent by unknown sources.

In order to protect your operating system from malware infections, we hope that you will not hesitate to install an anti-malware tool. It is not only ransomware that threatens your cyber security: various adware parasites, browser hijackers, Trojans, key-loggers, worms and others are also posing a threat. If you wish to enjoy a malware-free device, install Spyhunter.

How to recover BlackRuby ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before BlackRuby ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of BlackRuby ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to BlackRuby ransomware. You can check other tools here.  

Step 3. Restore BlackRuby ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually BlackRuby ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover BlackRuby ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

BlackRuby-Ransomware (de)  Flag of Germany
Leave a Reply

Your email address will not be published. Required fields are marked *