Security researchers reported the discovery of a dangerous new threat called the BlackRuby-2 virus. It is a new iteration of the Infinite Tear malware family and represents an advanced ransomware. The threat has been observed to rename and encrypt the target data with the .BlackRuby-2 extension.
|Short Description||BlackRuby-2 Virus is a dangerous ransomware that causes a lot of system issues on the compromised computers. It is a typical ransomware that modifies key system configuration settings and encrypts sensitive user data.|
|Symptoms||The ransomware will encrypt files, and put an extension to them: .BlackRuby2|
|Distribution Method||Spam Emails, File Sharing Networks, Exploit Kits|
|Detection Tool|| See If Your System Has Been Affected by BlackRuby-2 |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss BlackRuby-2.|
BlackRuby-2 V2 Virus – Infection Spread
The BlackRuby-2 Virus is a new threat that has been reported by the security community. At the moment the active attack campaign uses several of the most popular spread tactics in order to infect the intended victims.
One of the most popular ways is to send email messages that contain spam email attachments infected with the BlackRuby-2 virus. The hackers can either choose to directly send the files as file attachments or post hyperlinks in the body contents. In all cases the criminals use various social engineering tactics in order to coerce the victims into downloading and executing the dangerous files.
BlackRuby-2 virus can also be uploaded to hacker-controlled portals and scripts. In the most popular case they use graphics and text images that copy well-known download sites. Related instances can include all manners of scripts: banners, pop-ups & etc. In the last few years we have noted the rise of file-sharing networks such as BitTorrent where the viruses pose as legitimate files.
Another way that such files can infect the target computers is by integrating the virus code in software installers. The criminals behind the ransomware threat take the legitimate software installers of famous applications and modify them to include the BlackRuby-2 virus code. Usually the chosen payloads are free and trial versions of famous applications of all types: creative apps, office suites, utilities and even computer games.
In other cases the hackers can opt to use browser hijackers that repesent malware browser plugins. Their primary aim is to redirect the victims to a hacker-controlled site by manipulating the browser settings. Such scripts are usually made compatible with the most popular web browsers: Mozilla Firefox, Microsoft Edge, Google Chrome, Internet Explorer, Safari and Opera. During the initial infection the BlackRuby-2 virus can be loaded.
BlackRuby-2 V2 Virus – Technical Data
The security audit performed by the security experts showcase that the threat is a new strain originating from the InfiniteTear malware family. As such its behavior tactics follows a generic algorithm. According to the report the infection modules unfolds with a several stage delivery mechanism. There are several checks that are made before the virus is allowed execution:
- Regional Settings Check — The infection module looks up the regional settings which determines the users preferences and country. At the moment the captured samples appear to target users living in certain countries. An example list includes Afghanistan, Armenia, Azerbaijan, Iran, Iraq, Pakistan, Turkey and others.
- Security Software Check — The application can scan the local system for any installed security software. The captured virus samples at the moment are configured to look for signs of the following software: Avast, Avira, COMODO, Kaspersky Lab, McAfee and Symantec products. Future versions can include sandbox and debugging environments.
- System Profile Information — A preliminary report about the victim machine is generated. It includes information related to the machine’s hardware components and installed software.
The next stage of the virus infection unfolds once the BlackRuby-2 virus has gained enough information about the system. The security analysis has revealed that the malware module conducts a series of dangerous actions that all seek to create a persistent state of execution. This action seeks to make manual user recovery very difficult and even impossible in some cases.
The attack starts with the removal of the ability to run the startup recovery. The virus disables this function by modifying the boot loader settings. Following this the malware engine also deletes all shadow volume copies of the identified target data. This makes it difficult to restore affected virus data without the use of a professional software, refer to our instructions for more information on this process. Another dangerous tactic is the removal of log files related to its activity.
An interesting approach is the fact that the threat uses the name of Windows Defender to disguise itself from recovery. The anti-virus software part of the operating system is known to cause performance issues when deep scans are involved. Such resource usage is also shared with virus components which makes it the perfect app to pose as.
BlackRuby-2 V2 Virus – Encryption Process
Once all malware components have executed correctly the ransomware component is started. Like other typical computer threats it uses a built-in list of target file type extensions. Usually the target data includes the following:
As a consequence all victim data receive the .BlackRuby-2 extension. To cause further confusions the target files are also hashed. This makes it nearly impossible to find out the original names of the victim data.
The ransom note is named HOW-TO-DECRYPT-FILES.txt which may contain different messages. One of the captured samples includes the following:
***This option will be available to you after the subscription and monthly payment***
Further improvements may add a lockscreen instance that actively counters any ordinary computer interaction until the threat has been removed.
Remove BlackRuby-2 V2 Virus and Restore Your Files
If your computer got compromised and is infected with the BlackRuby-2 ransomware virus, you should have some experience with removing viruses before tampering with it. You should get rid of the ransomware fast before it can spread further on the network and encrypt more files. The recommended action for you is to remove the ransomware completely by following the step-by-step instructions written below.