Black Ruby Ransomware Targets Non-Iranian Users, Adds Coinminer

MalwareHunterTeam recently discovered a new ransomware called Black Ruby that encrypts files on a computer, scrambles the name, and appends it with a BlackRuby extension. Not only does it function as a ransomware, Black Ruby also installs a Monero cryptominer on the computer that uses as much of the CPU's resources as it can. As of this writing, Black Ruby is not decryptable.

Apart from this, a report stated that the Black Ruby ransomware only encrypts a computer if the victim's system is not from Iran. The ransom will query http://freegoip.net/json/ and check if the response contains “country_code”:”IR.” If the website indicates that the user is from Iran, the process will terminate and will not perform any malicious activity on the computer.

Adding to the malware's destructiveness, Black Ruby also installs a Monero miner on the computer before encrypting its data. The miner was likely added so attackers can still generate digital currency from infected systems even if the victim does not pay the ransom.

Trend Micro Threat Response Engineer Noel Anthony Llimos added that this malware (detected by Trend Micro as RANSOM_BLACKRUBY.THBGBI) is the first to combine the capabilities of a ransomware and coin miner. These two combined is rather unusual because the sole purpose of ransomware is to encrypt files, forcing victims to pay the attacker though extortion.

Moreover, the Black Ruby’s destructive nature is due to its mining routine, which massively slows down and overheats the victim’s computer as the CPU consumes a lot of memory to mine Monero cryptocurrency.

Llimos added that Black Ruby uses RSA+AES Hybrid Encryption, which makes the encrypted files almost impossible to decrypt via brute force. Additionally, it creates a registry that poses as a Windows Defender application. It alsodisables system recovery, deletes the shadow copy to remove backup copies, disables the Windows Error Recovery, and Windows Log Messages.

Because the malware arrives on a system as a file dropped by other malware or unknowingly downloaded by users when visiting malicious sites, users should follow these best practices to minimize the risks involved when dealing with ransomware.

Regularly back-up files
Ransomware capitalizes on fear of locking out users from their machine and results in lost access to critical data and disrupted business operations. Regularly backing up your files removes the cybercriminal’s leverage. Follow the 3-2-1 rule by creating three backups in two different formats with one stored offsite.

Update programs and operating systems
A lot of file-encrypting malware takes advantage of vulnerabilities to get into the system. Patching and keeping the operating system and its software or programs updated effectively thwarts attacks that exploit security flaws.

Cultivate a security-aware culture
Social engineering is a staple tactic for plenty of ransomware vectors, and it’s important for organizations to foster a security-aware workforce. To do this, make sure to go beyond regulatory compliance, develop and constantly fine-tune your proactive incident response and remediation strategies.

Trend Micro Ransomware Solutions

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Meanwhile, Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks.

These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.