BlackRose Virus (.ranranranran .okokokokokok .loveyouisrael .whatthefuck) - How to, Technology and PC Security Forum |

BlackRose Virus (.ranranranran .okokokokokok .loveyouisrael .whatthefuck)

Article created to help remove BlackRose virus and restore .ranranranran .okokokokokok .loveyouisrael .whatthefuck files encrypted by this ransomware..

A ransomware virus, named BlackRose has appeared in the wild, using AES encryption algorithm to encrypt data on computers compromised by it. The ransomware virus aims to get the victimized user to pay the sum of 1 BTC to get the files back to being openable again. The virus uses 4 different file extensions and the e-mail for correspondence. In case your computer has been infected by the BlackRose ransomware, it is recommended to read this article thoroughly.

Threat Summary



Short DescriptionEncrypts important files and asks for a ransom of 1 BTC to be paid to restore them back to working state.
SymptomsFiles are encrypted with added .ranranranran, .okokokokok, .loveyouisrael and .whatthefuck file extensions.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by BlackRose


Malware Removal Tool

User ExperienceJoin our forum to Discuss BlackRose.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

BlackRose Ransomware – Infection

To infect as many users as possible, the virus may spread via malicious e-mail attachments as well as file downloaders and malicious web links embedded within e-mails. Such spam e-mails are responsible for over 80% of infections by ransomware and cyber-criminals user newer and newer evasion techniques to bypass the protection on those e-mails. One of the techniques used is massive spam bots that spread attachments or web links to Dropbox or Google drive or other cloud accounts that contain the malicious files. The e-mails themselves contain convincing statements to open the attachments/click on the web links:

Other methods of infection besides via such e-mails being sent include infection via different types of fake updates, game patches, software activators, key generators or any other software that can be uploaded on suspicious torrent sites or software download sites.

After the malicious file causing the infection has been opened, the BlackRose virus may drop it’s payload in some of the following Windows folders:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %SystemDrive%
  • %Windows%
  • %System32%

The files may be named as the following:

→ READ_IT_FOR_GET_YOUR_FILE.txt (Ransom note)
How to install.pdf.exe
How to install.exe
{randomly named file}.exe
File Decryptor.exe

BlackRose Ransomware – Malicious Activity

After the files belonging to BlackRose ransomware are already dropped on the infected computer, the virus may modify the Run and RunOnce registry keys on the compromised machine. They are sub-keys of the Windows Registry editor responsible for which items run on Windows boot. The virus may modify them so that the malicious files of BlackRose run on system boot.


In addition to modifying the registry editor, the BlackRose virus may also delete shadow copies and stop Windows backup service. This is achievable by running a script that executes the following commands in the background, without the victim noticing:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

BlackRose Virus – Encryption Process

BlackRose ransomware uses the AES encryption algorithm to encode files on the computers that have been compromised by the virus. The ransomware infection uses an encryption procedure that replaces the core structure of the files. This makes the files no longer openable.

Among the targeted files may be the following:


The virus is very careful not to encrypt important files on the user PC that may damage Windows. After the encryption process is complete, BlackRose leaves files in the following state:

After the encryption process by BlackRose has finished, the ransomware infection drops it’s ransom note, so that it is easily noticed. In it, demands are made for the victim to pay 1 BTC otherwise the files will be lost forever. The note is named READ_IT_FOR_GET_YOUR_FILE.txt and has the following content:

“Files has been encrypted
Send me some 1 bitcoins or more to Address BITCOIN :
After Payment bitcoin please send your Address Bitcoin Payment to me at
I will give File Decryptor for you in 24HR…”

Remove BlackRose Virus and Restore Encrypted Files

For the removal process of BlackRose ransomware, recommendations are to follow the removal instructions below. They are designed to help isolate BlackRose ransomware first and perform the removal second. For maximum effectiveness during removal, experts always recommend to eliminate BlackRose using an advanced anti-malware program. It will not only permanently and automatically take care of the BlackRose threat but will also make sure the system is protected in the future too.

In case you wish to restore files that have been encrypted by the BlackRose virus, one way is to try the alternative methods we have suggested in step “2. Restore files encrypted by BlackRose” below. With their aid, you can restore at least some of the encrypted files, but make sure to backup your files beforehand.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share