{
	"id": "0fcfd170-d7f4-4f8a-97e6-357251271de7",
	"created_at": "2026-04-06T00:07:35.373729Z",
	"updated_at": "2026-04-10T13:12:34.550577Z",
	"deleted_at": null,
	"sha1_hash": "0254c46907c6b41896d633f665ef1a695d3cbaa5",
	"title": "Black Ruby: Combining Ransomware and Coin Miner Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66404,
	"plain_text": "Black Ruby: Combining Ransomware and Coin Miner Malware\r\nBy Ravikant Tiwari\r\nArchived: 2026-04-02 11:04:32 UTC\r\nIn the midst of all the news and hype surrounding cryptocurrency, we’ve seen several coin miner malware programs popping\r\ninto the wild, infecting a number of computers on the internet. There’s been an upsurge in coin miner malware that\r\nvictimizes individual PCs and businesses using the same techniques and exploits that were previously attributed to\r\ndistributed ransomware. With all this happening, the cybersecurity industry started speculating that there is a shift from\r\nransomware to coin miners as the preferred choice of payload for cybercriminals.\r\nInterestingly, what we found was a new ransomware called Black Ruby that adds coin mining as a module on top of its\r\nransomware capabilities. Attackers are optimizing their attack methodology to maximize the profits they make from their\r\nvictims. Rather than focus on one type of attack, this indicates rise in both ransomware and coin miners.\r\nBlack Ruby logo\r\nTechnical Analysis\r\nBlack Ruby was discovered earlier this month. The first Virustotal submission was dated 2018-02-04 09:50:37, just the day\r\nafter it was compiled according to the timestamp in the PE header. A new variant of Black Ruby with some minor changes\r\nwas also discovered a few days later.\r\nFigure 1: Timestamp in PE header\r\nFigure 1: Timestamp in PE header\r\nThe ransomware identifies itself as Microsoft Windows Defender, using file names like “Windows Defender.exe” or\r\n“WINDOWSUI.EXE”. The image below shows the details from the file’s version info.\r\nFigure 2: File version details\r\nFigure 2: File version details\r\nThe malware binary (MD5: 81E9036AED5502446654C8E5A1770935) is a dotnet executable that is obscured using Babel\r\nObfuscator.\r\nIt encrypts user files using RSA and AES. The Monero miner module is contained in an encrypted form within the resource\r\ndirectory, which is then decrypted and deployed during execution.\r\nGeoIP and Environment Checks\r\nIt starts by creating a mutual exclusion object (mutex) with name \"TheBlackRuby\" and exits if the name already exists to\r\nensure that only one instance of the application is running. The next check determines the machine’s country, which is done\r\nby connecting to “http:// freegeoip.net/json/”. If the response contains Iran’s country code, the malware stops and exits.\r\nFigure 3: Snippet to fetch country codes\r\nFigure 3: Snippet to fetch country codes\r\nInstallation and Persistence\r\nBlack Ruby adds following registry to maintain persistence:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\BlackRuby ‘Install’ = ‘Max’\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run ‘Windows Defender’ =\r\n‘C:\\Windows\\system32\\BlackRuby\\WindowsUI.exe’\r\nhttps://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware\r\nPage 1 of 4\n\nIf Key 1 is already present on the machine, the malware just starts the coin miner executable (shown in following code\r\nsnippet) that it would have deployed earlier, when the install key was not present or during its first run. The\r\nCreatePersistence() function generates the above mentioned registry key. If Key 1 is not found, it returns as “false”,\r\notherwise it returns as “true”.\r\nFigure 4: Part of void main() function\r\nFigure 4: Part of void main() function\r\nDeployExecutables() creates a new directory named “BlackRuby” in the system directory (“C:\\Windows\\System32’),\r\ncopying the main executable with the name “WindowsUI.exe” and adding the coin miner executable (decrypted from\r\nresource directory) as “Svchost.exe”.\r\nFigure 5: Copying executables\r\nFigure 5: Copying executables\r\nAfter successfully deploying its malicious executables, Black Ruby executes the RansomwareMain() function, which is\r\nresponsible for key generation, deleting shadow copy of the user’s files, clearing event logs, modifying boot status policies,\r\nand encrypting the user’s files.\r\nKey Generation\r\nBlack Ruby uses an AES symmetric cipher to encrypt user files. Unlike other ransomware strains which use per file AES\r\nkeys and session RSA keys for stronger encryption, Black Ruby uses the same AES key to encrypt all files on the system.\r\nThe AES encryption uses following configuration:\r\nThe file encryption AES key is generated by combining a random password computed once on each machine, with some\r\nother artifacts like machine name and count of logical drives, in following format.\r\n\u003crandom_password\u003e-\u003cmachine_name\u003e:\u003clogical_drive_count\u003e (e.g.:\r\n\u003ex6Ru@ufT4@lxsYkgj$X)OzuIVs\u0026MjV\u0026pUkf7rVJ7h8X\u003eBMZuNVrbqurR-DESKTOP_XXXXXXX:2)\r\nThis AES key is then encrypted with a master RSA public key that is hardcoded in the binary in its base64 form. The\r\nencrypted AES key is converted to base64, which is then transformed into its hexadecimal representation and written to the\r\nransomware “Help” file as HOW-TO-DECRYPT-FILES.txt along with other ransom notes. These help files are present in\r\neach directory containing the encrypted user files.\r\nFigure 6: Decoded Master RSA public key\r\nFigure 6: Decoded Master RSA public key\r\nFigure 7: AES key in its encrypted form\r\nFigure 7: AES key in its encrypted form\r\nFile Encryption\r\nThe Black Ruby ransomware enumerates all files on fixed, removable and network drives, and encrypts only those types that\r\nare included on the list of extensions hardcoded in the binary and have a file size less than 512 MB. It also skips files with a\r\nname larger than 255 bytes. If the file has an extension “bkf”, it is deleted.\r\nFigure 8: Drive enumeration routine\r\nFigure 8: Drive enumeration routine\r\nBlack Ruby reads the full file in the memory array and appends the original file name at the end, before passing it to AES\r\nencryption routine. After encryption, the original file content is overwritten with encrypted content and the file is moved into\r\nthe same directory with a random file name in following format.\r\nhttps://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware\r\nPage 2 of 4\n\nEncrypted_ \u003crandom_string\u003e .BlackRuby (e.g.\r\nEncrypted_VdGcVZ7RUKFUYvYk6gZCVTNLkNsUin5SuvmfovndF.BlackRuby)\r\nUnfortunately, if an exception occurs while modifying any file attributes or encryption process, the file gets deleted from the\r\nmachine.\r\nFigure 9: File attribute modification, Encryption and Move operation\r\nFigure 9: File attribute modification, Encryption and Move operation\r\nFigure 10: File structure after encryption.\r\nFigure 10: File structure after encryption.\r\nBlack Ruby does not encrypt files present under these folders:\r\n\"Windows\", \"Program Files\", \"ProgramData\", \"PerfLogs\", \"$Recycle.Bin\", \"Microsoft\", \"Microsoft Help\",\r\n\"Microsoft App\", \"Certification Kit\", \"Windows Defender\", \"ESET\", \"COMODO\", \"Windows NT\",\r\n\"Windows Kits\", \"Windows Mail\", \"Windows Media Player\", \"Windows Multimedia Platform\",\r\n\"Windows Phone Kits\", \"Windows Phone\",  \"Silverlight Kits\",  \"Temp\", \"Windows Photo Viewer\",\r\n\"Windows Protable Devices\", \"Windows Slidebar\", \"WindowsPowerShell\", \"NVIDIA Corporation\",\r\n\"Microsoft.NET\", \"Internet Explorer\", \"McAfee\", \"Avira\", \"spytech software\", \"sysconfig\", \"Avast\", \"Dr.Web\",\r\n\"Symantec\", \"Symantec_Client_Security\", \"system volume information\", \"AVG\", \"Microsoft Shared\",\r\n\"Common Files\", \"Outlook Express\", \"Movie Maker\", \"Chrome\", \"Mozilla Firefox\", \"Opera\", \"YandexBrowser\",\r\n\"ntldr\", \"Wsus\", \"!!AntiCrypto!!\", \"Public\", \"BlackRuby\"\r\nTable 1: Excluded folders\r\nFigure 11: List of extensions\r\nFigure 11: List of extensions\r\nRemoving Shadow Copies and Covering Tracks\r\nBlack Ruby executes following commands in sequence to remove automatic backups created by the Windows volume\r\nshadow copy service, and to delete the event logs from the machine.\r\nFigure 12: List of executed commands\r\nFigure 12: List of executed commands\r\nIt also terminates any process that contains “sql” in its name. This full routine is executed before file encryption process.\r\nRansom Notes\r\nA ransom note HOW-TO-DECRYPT-FILES.txt is created in all the directories containing the encrypted user files.\r\nFigure 13: Ransom Note part 1\r\nFigure 13: Ransom Note part 1\r\nFigure 14: Ransom Note Part 2\r\nFigure 14: Ransom Note Part 2\r\nDecryption\r\nThere is no free decryption tool available for this ransomware yet. The only way to get files back is to follow the instructions\r\nprovided in the ransom note and pay the attacker the equivalent of $650 in bitcoins. However, paying attackers is not\r\nencouraged.\r\nhttps://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware\r\nPage 3 of 4\n\nAttackers offer free decryption for two files less than 5 MB which you can send to their email address along with the\r\nIdentification Key mentioned in the ransom note.\r\nFigure 15: Decryption instruction in ransom note\r\nFigure 15: Decryption instruction in ransom note\r\nCoin Miner\r\nFinally Black Ruby calls ExecuteMiner() to launch the Monero miner (Svchost.exe) that it injected earlier. The Monero\r\nminer executable turns out to be the XMRig CPU miner that is publicly available on GitHub.\r\nFigure 16: Svchost.exe file version details\r\nFigure 16: Svchost.exe file version details\r\nFigure 17: Function to execute Monero miner\r\nFigure 17: Function to execute Monero miner\r\nWhere:\r\n URL = \"de01.supportxmr.com\"\r\n port = \"3333\"\r\n UserName = \"43DmqxU4LzuTrmA8GLZ7S5J6w32bwCavX9bhvCiSEwwebfn4TCYRAxmPtWTZq9iQ1F6XYsktJEYBYDkhKu4KXw6\r\nIt uses the Stratum mining protocol for pooled mining. The username is the wallet address of the attacker, the system’s user\r\nname is the worker or mining identifier, and the machine name is the password.\r\nFigure 18: Monero wallet info\r\nFigure 18: Monero wallet info\r\nConclusion\r\nBlack Ruby uses the de facto international standard for encryption and there is no way to recover files once they are\r\nencrypted unless user has proper backups in place.\r\nAcronis True Image 2018 and our other products with Acronis Active Protection enabled will prevent Black Ruby and other\r\nransomware from encrypting your valuable data, stop money from being mined for attackers, and ensure that you have the\r\nability to restore encrypted files.\r\nBlack Ruby detected\r\nBlack Ruby blocked\r\nSource: https://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware\r\nhttps://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware"
	],
	"report_names": [
		"black-ruby-combining-ransomware-and-coin-miner-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434055,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0254c46907c6b41896d633f665ef1a695d3cbaa5.pdf",
		"text": "https://archive.orkl.eu/0254c46907c6b41896d633f665ef1a695d3cbaa5.txt",
		"img": "https://archive.orkl.eu/0254c46907c6b41896d633f665ef1a695d3cbaa5.jpg"
	}
}