BlackRuby-2 Virus – How to Remove it and Restore .BlackRuby-2 Data
THREAT REMOVAL

BlackRuby-2 Virus – How to Remove it and Restore .BlackRuby-2 Data

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by BlackRuby-2 and other threats.
Threats such as BlackRuby-2 may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

Security researchers reported the discovery of a dangerous new threat called the BlackRuby-2 virus. It is a new iteration of the Infinite Tear malware family and represents an advanced ransomware. The threat has been observed to rename and encrypt the target data with the .BlackRuby-2 extension.

Threat Summary

NameBlackRuby-2
TypeRansomware
Short DescriptionBlackRuby-2 Virus is a dangerous ransomware that causes a lot of system issues on the compromised computers. It is a typical ransomware that modifies key system configuration settings and encrypts sensitive user data.
SymptomsThe ransomware will encrypt files, and put an extension to them: .BlackRuby2
Distribution MethodSpam Emails, File Sharing Networks, Exploit Kits
Detection Tool See If Your System Has Been Affected by BlackRuby-2

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BlackRuby-2.

BlackRuby-2 V2 Virus – Infection Spread

The BlackRuby-2 Virus is a new threat that has been reported by the security community. At the moment the active attack campaign uses several of the most popular spread tactics in order to infect the intended victims.

One of the most popular ways is to send email messages that contain spam email attachments infected with the BlackRuby-2 virus. The hackers can either choose to directly send the files as file attachments or post hyperlinks in the body contents. In all cases the criminals use various social engineering tactics in order to coerce the victims into downloading and executing the dangerous files.

BlackRuby-2 virus can also be uploaded to hacker-controlled portals and scripts. In the most popular case they use graphics and text images that copy well-known download sites. Related instances can include all manners of scripts: banners, pop-ups & etc. In the last few years we have noted the rise of file-sharing networks such as BitTorrent where the viruses pose as legitimate files.

Another way that such files can infect the target computers is by integrating the virus code in software installers. The criminals behind the ransomware threat take the legitimate software installers of famous applications and modify them to include the BlackRuby-2 virus code. Usually the chosen payloads are free and trial versions of famous applications of all types: creative apps, office suites, utilities and even computer games.

In other cases the hackers can opt to use browser hijackers that repesent malware browser plugins. Their primary aim is to redirect the victims to a hacker-controlled site by manipulating the browser settings. Such scripts are usually made compatible with the most popular web browsers: Mozilla Firefox, Microsoft Edge, Google Chrome, Internet Explorer, Safari and Opera. During the initial infection the BlackRuby-2 virus can be loaded.

BlackRuby-2 V2 Virus – Technical Data

The security audit performed by the security experts showcase that the threat is a new strain originating from the InfiniteTear malware family. As such its behavior tactics follows a generic algorithm. According to the report the infection modules unfolds with a several stage delivery mechanism. There are several checks that are made before the virus is allowed execution:

  • Regional Settings Check — The infection module looks up the regional settings which determines the users preferences and country. At the moment the captured samples appear to target users living in certain countries. An example list includes Afghanistan, Armenia, Azerbaijan, Iran, Iraq, Pakistan, Turkey and others.
  • Security Software Check — The application can scan the local system for any installed security software. The captured virus samples at the moment are configured to look for signs of the following software: Avast, Avira, COMODO, Kaspersky Lab, McAfee and Symantec products. Future versions can include sandbox and debugging environments.
  • System Profile Information — A preliminary report about the victim machine is generated. It includes information related to the machine’s hardware components and installed software.

The next stage of the virus infection unfolds once the BlackRuby-2 virus has gained enough information about the system. The security analysis has revealed that the malware module conducts a series of dangerous actions that all seek to create a persistent state of execution. This action seeks to make manual user recovery very difficult and even impossible in some cases.

The attack starts with the removal of the ability to run the startup recovery. The virus disables this function by modifying the boot loader settings. Following this the malware engine also deletes all shadow volume copies of the identified target data. This makes it difficult to restore affected virus data without the use of a professional software, refer to our instructions for more information on this process. Another dangerous tactic is the removal of log files related to its activity.

An interesting approach is the fact that the threat uses the name of Windows Defender to disguise itself from recovery. The anti-virus software part of the operating system is known to cause performance issues when deep scans are involved. Such resource usage is also shared with virus components which makes it the perfect app to pose as.

BlackRuby-2 V2 Virus – Encryption Process

Once all malware components have executed correctly the ransomware component is started. Like other typical computer threats it uses a built-in list of target file type extensions. Usually the target data includes the following:

  • Archives
  • Documents
  • Videos
  • Audio
  • Images
  • Backups

As a consequence all victim data receive the .BlackRuby-2 extension. To cause further confusions the target files are also hashed. This makes it nearly impossible to find out the original names of the victim data.

The ransom note is named HOW-TO-DECRYPT-FILES.txt which may contain different messages. One of the captured samples includes the following:

***This option will be available to you after the subscription and monthly payment***

Further improvements may add a lockscreen instance that actively counters any ordinary computer interaction until the threat has been removed.

Remove BlackRuby-2 V2 Virus and Restore Your Files

If your computer got compromised and is infected with the BlackRuby-2 ransomware virus, you should have some experience with removing viruses before tampering with it. You should get rid of the ransomware fast before it can spread further on the network and encrypt more files. The recommended action for you is to remove the ransomware completely by following the step-by-step instructions written below.

Note! Your computer system may be affected by BlackRuby-2 and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as BlackRuby-2.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove BlackRuby-2 follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove BlackRuby-2 files and objects
2. Find files created by BlackRuby-2 on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by BlackRuby-2

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...