Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


BlackRose Virus (.ranranranran .okokokokokok .loveyouisrael .whatthefuck)

Article created to help remove BlackRose virus and restore .ranranranran .okokokokokok .loveyouisrael .whatthefuck files encrypted by this ransomware..

A ransomware virus, named BlackRose has appeared in the wild, using AES encryption algorithm to encrypt data on computers compromised by it. The ransomware virus aims to get the victimized user to pay the sum of 1 BTC to get the files back to being openable again. The virus uses 4 different file extensions and the e-mail black-rose@outlook.co.th for correspondence. In case your computer has been infected by the BlackRose ransomware, it is recommended to read this article thoroughly.

Threat Summary

Name

BlackRose

Type Ransomware
Short Description Encrypts important files and asks for a ransom of 1 BTC to be paid to restore them back to working state.
Symptoms Files are encrypted with added .ranranranran, .okokokokok, .loveyouisrael and .whatthefuck file extensions.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by BlackRose

Download

Malware Removal Tool

User Experience Join our forum to Discuss BlackRose.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BlackRose Ransomware – Infection

To infect as many users as possible, the virus may spread via malicious e-mail attachments as well as file downloaders and malicious web links embedded within e-mails. Such spam e-mails are responsible for over 80% of infections by ransomware and cyber-criminals user newer and newer evasion techniques to bypass the protection on those e-mails. One of the techniques used is massive spam bots that spread attachments or web links to Dropbox or Google drive or other cloud accounts that contain the malicious files. The e-mails themselves contain convincing statements to open the attachments/click on the web links:

Other methods of infection besides via such e-mails being sent include infection via different types of fake updates, game patches, software activators, key generators or any other software that can be uploaded on suspicious torrent sites or software download sites.

After the malicious file causing the infection has been opened, the BlackRose virus may drop it’s payload in some of the following Windows folders:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %SystemDrive%
  • %Windows%
  • %System32%

The files may be named as the following:

→ READ_IT_FOR_GET_YOUR_FILE.txt (Ransom note)
How to install.pdf.exe
How to install.exe
{randomly named file}.exe
File Decryptor.exe

BlackRose Ransomware – Malicious Activity

After the files belonging to BlackRose ransomware are already dropped on the infected computer, the virus may modify the Run and RunOnce registry keys on the compromised machine. They are sub-keys of the Windows Registry editor responsible for which items run on Windows boot. The virus may modify them so that the malicious files of BlackRose run on system boot.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In addition to modifying the registry editor, the BlackRose virus may also delete shadow copies and stop Windows backup service. This is achievable by running a script that executes the following commands in the background, without the victim noticing:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

BlackRose Virus – Encryption Process

BlackRose ransomware uses the AES encryption algorithm to encode files on the computers that have been compromised by the virus. The ransomware infection uses an encryption procedure that replaces the core structure of the files. This makes the files no longer openable.

Among the targeted files may be the following:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

The virus is very careful not to encrypt important files on the user PC that may damage Windows. After the encryption process is complete, BlackRose leaves files in the following state:

After the encryption process by BlackRose has finished, the ransomware infection drops it’s ransom note, so that it is easily noticed. In it, demands are made for the victim to pay 1 BTC otherwise the files will be lost forever. The note is named READ_IT_FOR_GET_YOUR_FILE.txt and has the following content:

“Files has been encrypted
Send me some 1 bitcoins or more to Address BITCOIN :
3Q2hTDPt1LMAAgQsNQAPJQxb9ZiwA*****
After Payment bitcoin please send your Address Bitcoin Payment to me at
black-rose@outlook.co.th
I will give File Decryptor for you in 24HR…”

Remove BlackRose Virus and Restore Encrypted Files

For the removal process of BlackRose ransomware, recommendations are to follow the removal instructions below. They are designed to help isolate BlackRose ransomware first and perform the removal second. For maximum effectiveness during removal, experts always recommend to eliminate BlackRose using an advanced anti-malware program. It will not only permanently and automatically take care of the BlackRose threat but will also make sure the system is protected in the future too.

In case you wish to restore files that have been encrypted by the BlackRose virus, one way is to try the alternative methods we have suggested in step “2. Restore files encrypted by BlackRose” below. With their aid, you can restore at least some of the encrypted files, but make sure to backup your files beforehand.

Manually delete BlackRose from your computer

Note! Substantial notification about the BlackRose threat: Manual removal of BlackRose requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove BlackRose files and objects
2.Find malicious files created by BlackRose on your PC

Automatically remove BlackRose by downloading an advanced anti-malware program

1. Remove BlackRose with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by BlackRose
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.