February 12, 2018
A new ransomware was discovered this week by MalwareHunterTeam called Black Ruby. This ransomware will encrypt the files on a computer, scramble the file name, and then append the BlackRuby extension. To make matters worse, Black Ruby will also install a Monero miner on the computer that utilizes as much of the CPU as it can.
Unfortunately, this ransomware is not decryptable at this time. If you wish to discuss or receive help, you can use our dedicated Black Ruby Help & Support topic.
Black Ruby won't run if a victim is from Iran
Black Ruby will only encrypt a computer if the victim is not from Iran. When started, the ransomware will query http://freegeoip.net/json/ and check if the response contains "country_code":"IR".
If the site does indicate that the user is from Iran, the process will terminate and will not perform any malicious activity on the computer.
Black Ruby may be installed via Remote Desktop Services
While it is not 100% confirmed, there is a good chance that Black Ruby is being installed via Remote Desktop Services. In a Reddit post, a user asked for help with a server that was encrypted by Black Ruby over the weekend when no one was in the office.
The first thing people thought, including myself, was if they had remote desktop services enabled. While the user has not confirmed if the remote desktop services was open to the public, this was most likely the method the attacker used to gain access to their network.
Black Ruby Drops a Monero Miner
To make matters worse, the developers decided to install a Monero miner on the computer before encrypting it. This way if the victim does not pay the ransom, the attackers can at least generate digital currency from them.
When a user logs in, Black Ruby will extract a miner executable to C:\Windows\System32\BlackRuby\svchost.exe.
Extract Embedded Miner
When the miner is executed, it will connect to the pool at de01.supportxmr.com:3333 where it will begin mining for the Monero currency.
Svchost.exe Miner in Task Manager
When mining it will use the maximum amount of CPU it can, which will cause a computer to become extremely slow and for a victim's CPU to become very hot for an extended period of time.
How Black Ruby encrypts a computer
When Back Ruby is installed it will check to see if your IP address is in Iran. If it is, it will terminate the program. If not, it will first extract a Monero miner as described above. After it extracts and executes the miner it will terminate the sql.exe process and execute the following commands:
After those commands are executed, it will scan the computer for certain file types that it will encrypt. The files types encrypted by Black Ruby are:
When encrypting files it will rename them to the format Encrypted_[scrambled_file_name.BlackRuby. For example, a file called test.jpg would be encrypted and renamed as Encrypted_zIX2dFXFt9qNfifBu1mqkNVYTX79ZS48TWWU5BRm3Q.BlackRuby.
Encrypted BlackRuby Files
When the ransomware has finished encrypting a computer, it will drop a ransom note named HOW-TO-DECRYPT-FILES.txt to the Windows desktop. This ransom note is quite bizarre and doesn't quite make sense. For example, it opens with the following statement and gets more bizarre as you continue to read it.
The full contents of the ransom note are below.
Ransom Note Part 1 Ransom Note Part 2
Unfortunately, at this time there is no way to decrypt files encrypted by Black Ruby for free. Furthermore, if you do not plan on paying the ransom, be sure to remove the Monero miner or your computer will become unusable due to the high CPU utilization.
If you wish to discuss this ransomware, you can use our BlackRuby Ransomware Help & Support topic.
How to protect yourself from the Black Ruby Ransomware
To protect yourself from the Black Ruby Ransomware, it is particularly important that you do not have any computers running remote desktop services connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.
In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:
- Backup, Backup, Backup!
- Do not open attachments if you do not know who sent them.
- Do not open attachments until you confirm that the person actually sent you them,
- Scan attachments with tools like VirusTotal.
- Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
- Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
- Use hard passwords and never reuse the same password at multiple sites.
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
Ransom Note Text:
News Courtesy : https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/