BlackRuby is a newly observed ransomware tool that installs a cryptocurrency mining programme alongside the encryption routine. At present it is delivered via spam emails containing malicious documents, although there are instances of devices compromised through Remote Desktop Protocol (RDP) brute-force attacks.
Once installed, BlackRuby uses the FreeGeoIP API to check if the compromised device has an Iranian IP address, terminating itself without performing any malicious activity if it does. If the device is non-Iranian then BlackRuby will extract and execute a Monero miner before running a series of commands to delete Volume Shadow Copies and disable Windows recovery services. The mining program will attempt to mine as fast as possible, consuming large amounts of CPU and memory resources and noticeably slowing down the affected device.
BlackRuby uses hybrid RSA and AES encryption. The mining program will continue to run throughout the encryption process and will persist even if ransom payments are made.
Microsoft Windows – All versions