If you see a pop-up window saying “Welcome to Ruby Ransomware” you naturally encountered a threat known as Ruby Ransomware. The malicious application is supposed to be capable of encrypting personal user’s data, such as photos, pictures, archives, videos, etc. However, in reality, the application does not encipher any data. We also noticed that unlike other similar malware, Ruby Ransomware does not drop any text or HTML files containing the ransom note. Usually, such notes tell how much the cyber criminals want you to pay them and how to transfer the ransom. The lack of such essential information and mentioned failures makes us believe the infection might be unfinished yet. Therefore we doubt it could be distributed widely, but if you encountered it, we advise you to get rid of it immediately with a reliable security tool or deletion instructions available at the end of the text.
The infection was written in .NET Framework language and it is based on an open source ransomware called Hidden Tear; thus, we doubt it could have been created by an experienced hacker. Because of this, it is possible the malicious application might not even be updated. Ruby Ransomware should encipher HTML, PDF, Microsoft Word, Excel, PowerPoint, and other similar documents located on the computer. The enciphered data could either have or have no additional extension, so the damaged file would either look same as before or have a second extension, e.g. fairy.jpg.ruby and so on.
Nevertheless, while testing the malicious program, we noticed it failed to encrypt any data. In fact, after opening the malware’s launcher, it showed an error. It was called Microsoft .NET Framework and it said: “Unhandled exception has occurred in your application.” It could be displayed on purpose to buy the program time for encryption, but given the application does not work as it should, it is more likely the pop-up appears because of Ruby Ransomware's failure. The next pop-up should be displayed by the malicious application itself since it says “Check desktop for rubyLeza.html and Read it carefully for instructions.” At this point, we noticed that the threat fails to complete its tasks again since it did not place the mentioned HTML file or other files alike, which could provide a ransom note.
Furthermore, we believe Ruby Ransomware might travel with infected email attachments or malicious setup files suggested on harmful web pages or by doubtful pop-up ads. If you remember exactly how you caught the infection, you should make sure it never happens again. To secure the system and protect it from the future threats, it would be advisable to acquire a trustworthy security tool. If you decide to invest in such a tool, you could firstly use it to erase Ruby Ransomware as the malware should be removed for safety precautions. Of course, if you feel you can handle the malware on your own, we may offer the recommended deletion steps placed just below the article. Also, users should know they can always write us a message in the comments section or reach us via social media if there is anything else we could help with.