BlackRuby-2 Ransomware Removal Guide

Do you know what BlackRuby-2 Ransomware is?

BlackRuby-2 Ransomware is a new crypto-threat that threatens to encrypt users’ all personal files. As has been observed by our experienced researchers, it is a new version of BlackRuby Ransomware. Because of this, it has turned out quickly what can be expected from this malicious application. There is only one thing that makes it unique – it does not encrypt files on those users’ computers whose place of residence is Turkey, Turkmenistan, Pakistan, Azerbaijan, Iraq, Armenia, or Afghanistan. If you wonder how it knows where the victim lives, you should know that it simply checks victims’ IP addresses. Users who do not live in any of the listed countries will find a bunch of personal files locked if this nasty infection ever infiltrates their computers. Researchers say that it should encrypt images, documents, videos, and other files it finds valuable. Ransomware infections are set to lock victims’ files because cyber criminals want to get easy money. Do not be one of those users who send a ransom to crooks expecting that their files will be unlocked shortly after because there are no guarantees that the decryptor will be given to you or that it will work properly. In addition, by sending money to malicious software developers, you give them a reason to continue developing new malware. You might encounter it yourself in the future.

BlackRuby-2 Ransomware is a new infection, but it does not differ much from older threats encrypting files. As these previously developed ransomware infections do, it also locks users’ files mercilessly once it successfully infiltrates users’ computers. The list of extensions this threat targets might be a long one, specialists say. Without a doubt, you will find your pictures, documents, and other important files locked. You do not need to go to check your files – encrypted files can be recognized easily because a new extension is appended to all of them. For example, your file picture.jpg might become Encrypted_9Yvb3RNlPfC0y6ZC3f9Gm3fQHqUEVJ0rt4Lm6ZUgJ5IJ.BlackRuby2. Letters and numbers in the middle of the extension used are completely random. What else you should find on your computer if BlackRuby-2 Ransomware is really the one responsible for locking data stored on your system is a .txt file HOW-the TO-DECRYPT-files.txt. This file is a ransom note dropped for users. Users are told that two files will be decrypted for them for free, but they will need to purchase Black Ruby Decryptor to get all other files unlocked. You should not pay money to crooks even if it means that you could never access certain files. As mentioned in the first paragraph, you cannot know whether you will really get the promised decryptor from cyber criminals.

If BlackRuby-2 Ransomware has already infiltrated your computer and locked your files, you will also find XMRig, which is known to be a Monero miner, on your computer because this ransomware infection downloads and installs it on victims’ computers without their knowledge. Due to its presence and activities performed, your computer might become very slow, so you should not forget to delete it together with the ransomware infection.

At the time of research, BlackRuby-2 Ransomware was not a prevalent infection, but this might change soon, so you should be more careful in order not to end up with it. According to our experienced specialists, there is basically no doubt that this malicious application will be mainly distributed via spam emails. Therefore, you should stay away from all spam emails and their attachments. Do not click on suspicious links too because you might start the automatic ransomware download. Last but not least, to prevent harmful infections from entering the system, you should have a security tool enabled on your computer. As long as it is kept active and get periodic updates, it will be impossible for malware to infiltrate your computer.

You should use our removal guide (see below) if it is the first time you are going to delete such a nasty infection from your computer manually. Do not expect that this will be a quick procedure because you will need to erase all components belonging to this threat yourself, so if you are looking for a quicker way to erase it, use an antimalware scanner instead.

Delete BlackRuby-2 Ransomware

  1. Launch Run (tap Win+R) and insert regedit in the box.
  2. Click OK.
  3. Access the Run registry key (HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run).
  4. If you can find the entry of BlackRuby-2 Ransomware there, select and delete it.
  5. Close Registry Editor and open Windows Explorer.
  6. Check %WINDIR%\SysWOW64 and %WINDIR%\System32.
  7. If you can locate the BlackRuby folder, delete it.
  8. Remove HOW-the TO-DECRYPT-files.txt from your computer.
  9. Delete all recently downloaded files.
  10. Empty Recycle bin.

Delete XMRig

  1. Press Ctrl+Shift+Esc to open Task Manager.
  2. Open the Processes tab.
  3. Locate winserv.exe with the description WindowsHub.
  4. Right-click on the process and select Open File Location.
  5. Kill the process and then remove the file associated with it.
  6. Locate the AudioHD.exe process with the XMRIG description.
  7. Repeat the 4th step.
  8. Delete the malicious file.

In non-techie terms:

BlackRuby-2 Ransomware is a harmful threat that not only encrypts victims’ personal files (e.g. documents, pictures, and music) mercilessly after illegally entering their systems, but also installs a cryptocurrency miner on their computers. As a consequence, the computers’ performance might considerably decrease and, because of this, users might no longer be able to use the computer normally. Delete both the ransomware infection and the cryptocurrency miner ASAP!