The BlackRuby Ransomware is a peculiar file-encryption Trojan whose authors are likely to reside in the Middle East, Iran more specifically. We suspect this because the source code of the BlackRuby Ransomware includes a module whose purpose is to ensure that this threat will not cause damage to computers whose IP addresses are detected as Iranian. However, users outside of Iran are unlikely to be spared by the BlackRuby Ransomware’s attack, and they might end up losing the majority of their files due to the secure file-encryption method this locker uses.
We don’t have exact information regarding the propagation methods used by the BlackRuby Ransomware’s authors, but it is very likely that their primary distribution channel is spam e-mails and corrupted e-mail attachments. Often, the fraudulent e-mails that bring threat payloads are disguised to look as if they come from a reputable government agency, a delivery company, or other institution that the users are likely to trust blindly. The corrupted attachment is likely to be disguised as a DOC, PDF, XLS or ZIP file, but its execution will deploy the BlackRuby Ransomware’s files and initiate the attack silently.
Unfortunately, the consequences of this threat’s actions are quite severe. Its victims will be left with hundreds of inaccessible files whose contents have been fully encrypted. In addition to the file-encryption task, the BlackRuby Ransomware also will rename all locked files by using the naming pattern ‘Encrypted_]RANDOM STRING].BlackRuby.’ The ransom note that the BlackRuby Ransomware uses is rather long, and it is usually found in the file ‘how-to-decrypt-files.txt,’ which is created after the file-encryption stage is complete. The message is written in English, but it appears that its authors have used automatic translation services since a large portion of the text makes no sense or is very poorly constructed. However, the important bits of the instructions are rather clear:
- The attackers demand $650 via a Bitcoin transaction./li>
- They promise to provide victims with the BlackRuby Decryptor as soon as the money is paid.
- They tell victims to get in touch with them by messaging [email protected]
However, the authors of this threat don’t offer any proof that they are capable of decrypting the locked files, and the advise to the victims of the BlackRuby Ransomware is to avoid paying the ransom sum. The suggestion is to start the healing process by removing the BlackRuby Ransomware’s files with the assistance of a reputable anti-malware scanner. You need to preserve the files encrypted by the BlackRuby Ransomware because they might be recovered in case a free decryption utility becomes available.