BlackRuby RDP Ransomware

BlackRuby is a newly observed ransomware tool that installs a cryptocurrency mining programme alongside the encryption routine. At present it is delivered via spam emails containing malicious documents, although there are instances of devices compromised through Remote Desktop Protocol (RDP) brute-force attacks.

Once installed, BlackRuby uses the FreeGeoIP API to check if the compromised device has an Iranian IP address, terminating itself without performing any malicious activity if it does. If the device is non-Iranian then BlackRuby will extract and execute a Monero miner before running a series of commands to delete Volume Shadow Copies and disable Windows recovery services. The mining program will attempt to mine as fast as possible, consuming large amounts of CPU and memory resources and noticeably slowing down the affected device.

BlackRuby uses hybrid RSA and AES encryption. The mining program will continue to run throughout the encryption process and will persist even if ransom payments are made.

Affected Platforms

Microsoft Windows – All versions



Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: