BlackRuby Ransomware Removal Guide

BlackRuby Ransomware may shock you after it crawls onto your system behind your back and encrypts all your files that matter to you. However, our research indicates that this dangerous ransomware program may actually be decryptable even though a free file recovery tool may not have surfaced yet. In other words, you may not be able to restore your files just yet but a free tool may appear in the near future. However, you cannot keep this vicious threat on board until then. This malware infection can start up automatically every time you restart your system and possibly encrypt your newly created or saved files as well. In addition to all the damage it can do by taking your files hostage, it also slows your computer down. What's more, this malicious program also installs a miner tool, which probably uses your CPU or your GPU in the background. Even if these attackers offer you their decryptor and the private key for a certain amount of money, unfortunately, you have no guarantee that you will get these at all. We advise you to remove BlackRuby Ransomware from your computer immediately to stop any further damage.

It is quite likely that you infected your system with this dangerous malware threat after opening a spam e-mail and viewing its attachment. This ransomware can be disguised as a document or an image. But why would you open such a spam in the first place? Well, the answer is simple. Because you are led to think that it regards an important and urgent matter, such as a problematic online booking (hotel room), an unsettled invoice, and so on. Since most of us are quite curious, it is possible that a lot of users open this spam in order to find out more about this otherwise totally made-up matter. The message itself does not give away too much, so you will not know anything relevant or informative by reading this mail. However, you will be pointed towards the attachment that allegedly contains all important details. But when you open this attachment, you will not be any wiser since you simply initiate this vicious attack. This also means that when you finally delete BlackRuby Ransomware from your system, your files will have already been rendered useless.

It is also essential to keep your browsers and drivers (Java and Adobe Flash) always up-to-date because if you were to land on a malicious webpage that uses Exploit Kits, you can easily drop such a dangerous infection in no time behind your back and you do not even need to engage with this page. You can end up on one simply by clicking on the wrong third-party content while your browsing the web peacefully. One click and you could end up with a ransomware program on your system. This can happen when your PC is not protected with professional security software. Then, all you can do is remove BlackRuby Ransomware ASAP.

Our research shows that this ransomware possibly originates from Iran because it does not encrypt files if the victim's IP address is from that country. Of course, this does not prove it 100% sure because it may well be a trick to fool people to believe so. Once you execute the malicious file, it creates a folder, either as "%WINDIR%\System32\BlackRuby" or "%WINDIR%\SysWOW64\BlackRuby" depending on whether you use 32-bit or 64-bit Windows. This malicious program also creates a Point of Execution (PoE) in your registry ("HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run") using the value name "Windows Defender" (which is obviously confusing) with a data pointing to the location of the infections' copy ("WindowsUI.exe"). In addition to these steps, this threat also drops a Monero miner named "Svchost.exe," which is possibly responsible for the slowing down of your machine since such a miner requires a lot of CPU or GPU power.

The encrypted files get a new name and extension in the form of "Encrypted_[random string].BlackRuby," e.g., "Encrypted_YDHswhr75d2zpMPPdOiCwtR5lJ4VJXyguOtPNzwkArO.BlackRuby." The ransom note called "HOW-TO-DECRYPT-FILES.txt" is dropped in every affected folder. This note tells you a metaphoric story about the "black ruby" you just got, but the main purpose of these instructions is to inform you to send your identification key and two small files to "TheBlackRuby@Protonmail.com" as the first step in recovering your files. You are supposed to get your files back in a reply message and then, you have to pay $650 in Bitcoins to a given address. Once you are done, you have to send your transaction code to the same e-mail address and you are supposed to get the Black Ruby Decryptor along with the private key. We still believe that the best solution for you is to remove BlackRuby Ransomware right away.

We have included our guide below this article, which you can use to eliminate this dangerous ransomware program. Please follow these steps carefully and at your own risk. Although this ransomware seems to be decryptable, we have not found a free tool yet on the web. So, your best chance to recover your files is to have a recent backup on a portable drive. If you would like to protect your PC from similar dangers, you may want to employ a decent anti-malware program, such as SpyHunter, as soon as possible.

How to remove BlackRuby Ransomware from Windows

1. Press Win+R and type regedit. Hit the Enter key.
2. Remove the PoE, "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender" or "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender", where the value data points to the malicious .exe location (e.g., "C:\Windows\system32\BlackRuby\WindowsUI.exe").
3. Exit the editor.
4. Press Win+E.
5. Bin all the ransom note files ("HOW-TO-DECRYPT-FILES.txt") from the affected folders.
6. Delete the malicious folder depending on your system:
   %WINDIR%\System32\BlackRuby
   %WINDIR%\SysWOW64\BlackRuby
7. Delete recently downloaded suspicious files.
8. Empty your Recycle Bin.
9. Reboot your PC.