How to remove Black Ruby virus and restore encrypted files

If you fell a victim of a ransomware and you know that it is the Black Ruby ransomware – on this website you will find help. We suggest simple and tested tips about Black Ruby uninstalling and potential manners to get back the wasted data.

What is Black Ruby

Ransomware is a bogey of a recent society, and we all know that if you can not access your information and there's a ransom note – it’s time to worry. It’s a true, unfortunately. An encrypting virus is the ugliest threat that you can meet on the Internet since a regular user has no resources to delete it. The exclusive situation when you're able to defeat an encrypting virus is when you are not facing a true one, but a screenlocker, that blocks the display and attempts to deceive you into making a payment. In any other event, if a virus was developed and protected in a right method – you can only trust that virus fighters will deal with it. If swindlers failed somehow, and a ransomware has any drawbacks, that give you an ability to get back files – we’ll explain to you what to do on this page.



So, what we'd find if we take a glance inside a ransomware? It is founded on a completely legal cryptography system which modifies all folders on operator’s workstation, so you can't use them in any approach. The key is encrypted too, but with another method. Usually, fraudsters favour RSA and AES manners, which are famous for their complexity and reliability. These manners and the tools based on them are in public access in the Web, so swindlers only need to add defensive techniques, to restrict an admittance to a virus, and make the reliable control and update system. Some viruses might act off-line, and fraudsters know about a new victim not before he approaches them and sets off his funds. Other encrypting viruses are very active, and send reports to hundreds servers, to confuse the malware-fighters and throw them off virus’ track.

Virus type does not actually matter, as the RSA and AES algorithms are too tricky difficult to break them directly. It it requires centuries to execute all needed operations on a usual machine and, possibly, twenty or thirty years in case of usage of a super-powerful computer. We know only two solid ways to beat a ransomware: to find vulnerabilities in its code, or hack its database, to receive encryption keys. In rare cases there is a breaker, allowing to cease virus' operation in full or to make it pass a particular device. If anyone finds that breaker for Black Ruby, or publish a decryption software, we'll give you full info in this article.


There are some possibilities to inspect, before you can yield and look for a decryptor. As we said earlier, scammers also fail, and some characteristics of your Windows may help you to recover files.


  • If you have a copy of your info, kept on the outer flash drive – you might eliminate Black Ruby and load it. Ensure that Black Ruby is uninstalled entirely, because if it’s not – all info will be encrypted again, including the files that are on an outer hard disc.
  • If you don't employ the system via an administrator's entry – you should congratulate yourself. The catch is that your OS creates backups of all information prior to they’re deleted or modified. Those copies are called Shadow Volume Copies, and Black Ruby has the methods to eliminate them. If you're employing the user's account – the system requests for a permission at the exact moment Black Ruby goes to delete shadow copies. In case you've seen suchlike thing and declined it – it means that the copies are fine, and could be used to restore the information.


If both of written above advice didn't work and there is no way to restore the files – you better delete Black Ruby from the system and wait until a decryptor will be published.

How to remove Black Ruby

As for the elimination – there’s no chance to completely avoid an installation of software. Black Ruby is very tricky and you could miss some elements and then regret it (for example, when you line up a flash data storage with your saved information to a not-totally-purged PC). It also conceals very well, and you just can't eliminate it totally in manual mode. Knowing this, we’ve made a decent deletion specification which will suit all your needs. It has several manual stages and an extra antivirus program stage.

Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus

Here's Spyhunter AntiMalware that is not simply efficient, but also fast and constantly advancing tool that will clear your PC of all unwanted programs. Click the link below to try Spyhunter and eliminate the virus.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files

As you got rid of Black Ruby, it's time for the file recovery. As we said earlier, if you logged in from an admin account and you let the virus an access to the system – there is no way to restore your files except for the previously saved copies. If you don't remember this – you have poor odds for file recovery, but it will require specific recovery tool. The most effective ones of them are Recuva or ShadowExplorer programs. You can find these tools easily on their official pages, with thorough instructions.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 0.00 [0 Votes]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience