BlackRuby-2 Virus – How to Remove it and Restore .BlackRuby-2 Data

BlackRuby-2 Virus – How to Remove it and Restore .BlackRuby-2 Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Security researchers reported the discovery of a dangerous new threat called the BlackRuby-2 virus. It is a new iteration of the Infinite Tear malware family and represents an advanced ransomware. The threat has been observed to rename and encrypt the target data with the .BlackRuby-2 extension.

Threat Summary

Short DescriptionBlackRuby-2 Virus is a dangerous ransomware that causes a lot of system issues on the compromised computers. It is a typical ransomware that modifies key system configuration settings and encrypts sensitive user data.
SymptomsThe ransomware will encrypt files, and put an extension to them: .BlackRuby2
Distribution MethodSpam Emails, File Sharing Networks, Exploit Kits
Detection Tool See If Your System Has Been Affected by BlackRuby-2


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BlackRuby-2.

BlackRuby-2 V2 Virus – Infection Spread

The BlackRuby-2 Virus is a new threat that has been reported by the security community. At the moment the active attack campaign uses several of the most popular spread tactics in order to infect the intended victims.

One of the most popular ways is to send email messages that contain spam email attachments infected with the BlackRuby-2 virus. The hackers can either choose to directly send the files as file attachments or post hyperlinks in the body contents. In all cases the criminals use various social engineering tactics in order to coerce the victims into downloading and executing the dangerous files.

BlackRuby-2 virus can also be uploaded to hacker-controlled portals and scripts. In the most popular case they use graphics and text images that copy well-known download sites. Related instances can include all manners of scripts: banners, pop-ups & etc. In the last few years we have noted the rise of file-sharing networks such as BitTorrent where the viruses pose as legitimate files.

Another way that such files can infect the target computers is by integrating the virus code in software installers. The criminals behind the ransomware threat take the legitimate software installers of famous applications and modify them to include the BlackRuby-2 virus code. Usually the chosen payloads are free and trial versions of famous applications of all types: creative apps, office suites, utilities and even computer games.

In other cases the hackers can opt to use browser hijackers that repesent malware browser plugins. Their primary aim is to redirect the victims to a hacker-controlled site by manipulating the browser settings. Such scripts are usually made compatible with the most popular web browsers: Mozilla Firefox, Microsoft Edge, Google Chrome, Internet Explorer, Safari and Opera. During the initial infection the BlackRuby-2 virus can be loaded.

BlackRuby-2 V2 Virus – Technical Data

The security audit performed by the security experts showcase that the threat is a new strain originating from the InfiniteTear malware family. As such its behavior tactics follows a generic algorithm. According to the report the infection modules unfolds with a several stage delivery mechanism. There are several checks that are made before the virus is allowed execution:

  • Regional Settings Check — The infection module looks up the regional settings which determines the users preferences and country. At the moment the captured samples appear to target users living in certain countries. An example list includes Afghanistan, Armenia, Azerbaijan, Iran, Iraq, Pakistan, Turkey and others.
  • Security Software Check — The application can scan the local system for any installed security software. The captured virus samples at the moment are configured to look for signs of the following software: Avast, Avira, COMODO, Kaspersky Lab, McAfee and Symantec products. Future versions can include sandbox and debugging environments.
  • System Profile Information — A preliminary report about the victim machine is generated. It includes information related to the machine’s hardware components and installed software.

The next stage of the virus infection unfolds once the BlackRuby-2 virus has gained enough information about the system. The security analysis has revealed that the malware module conducts a series of dangerous actions that all seek to create a persistent state of execution. This action seeks to make manual user recovery very difficult and even impossible in some cases.

The attack starts with the removal of the ability to run the startup recovery. The virus disables this function by modifying the boot loader settings. Following this the malware engine also deletes all shadow volume copies of the identified target data. This makes it difficult to restore affected virus data without the use of a professional software, refer to our instructions for more information on this process. Another dangerous tactic is the removal of log files related to its activity.

An interesting approach is the fact that the threat uses the name of Windows Defender to disguise itself from recovery. The anti-virus software part of the operating system is known to cause performance issues when deep scans are involved. Such resource usage is also shared with virus components which makes it the perfect app to pose as.

BlackRuby-2 V2 Virus – Encryption Process

Once all malware components have executed correctly the ransomware component is started. Like other typical computer threats it uses a built-in list of target file type extensions. Usually the target data includes the following:

  • Archives
  • Documents
  • Videos
  • Audio
  • Images
  • Backups

As a consequence all victim data receive the .BlackRuby-2 extension. To cause further confusions the target files are also hashed. This makes it nearly impossible to find out the original names of the victim data.

The ransom note is named HOW-TO-DECRYPT-FILES.txt which may contain different messages. One of the captured samples includes the following:

***This option will be available to you after the subscription and monthly payment***

Further improvements may add a lockscreen instance that actively counters any ordinary computer interaction until the threat has been removed.

Remove BlackRuby-2 V2 Virus and Restore Your Files

If your computer got compromised and is infected with the BlackRuby-2 ransomware virus, you should have some experience with removing viruses before tampering with it. You should get rid of the ransomware fast before it can spread further on the network and encrypt more files. The recommended action for you is to remove the ransomware completely by following the step-by-step instructions written below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share