How to remove BlackRuby2 virus and restore encrypted files

If you've encountered an encrypting virus and have causes to assume that it is the BlackRuby2 virus – in our item you'll receive help. We propose plain and efficient tips for BlackRuby2 deletion and practicable methods to recover the encrypted data.

What is BlackRuby2

Encryption virus is a scarecrow of mankind, and we all know that if a pop-up says: “files are encrypted” – the things are going ugly. It is a right reaction, unfortunately. An encrypting virus is the worst threat that you may face on the Internet since a common user has no power to uninstall it. The exclusive situation when you can beat ransomware is when you’re not dealing with a real one, but a dummy, that blocks your display and attempts to lure your funds. In all other events, if ransomware was developed and adjusted in a right way – you can only trust that specialists will beat it. If swindlers made an error, and there are some drawbacks, which allow you to get back information – we’ll explain to you what you can do in this article.



Let's find out, what we'd see if we look inside a BlackRuby2? It is built upon a completely legitimate encryption system that encrypts the files on operator’s machine and makes them unreadable if you have no key. The key is also encrypted with another method. As usual, fraudsters favour RSA and AES manners, which are famous for their complexity and reliability. These methods and the software based on them can be easily found on the Internet, so scammers just need to develop techniques of defense, to block an access to a ransomware, and make the flawless update and control pattern. Some pieces of ransomware might work in standalone mode, and web-criminals get a report about another victim only when he contacts them and sets off his money. The complex viruses are function in another manner, and deliver files to hundreds addresses, to confuse the malware-fighters and throw them off virus’ track.

Regardless of virus' kind, the AES and RSA algorithms are too complex to bruteforce them. It will take thousands of years to make all necessary operations on a usual device or, maybe, twenty or thirty years if you can use a super-powerful computer. There are two efficient manners to defeat an encrypting malware: to hack into it, or break into its server, to receive a master key. Some viruses also have a breaker that can stop ransomware's activity completely or to leave unscathed a particular device. If someone discovers such breaker for this ransomware, or develop a decryption software, we'll provide you with full information in this guide.


Here we've gathered a few alternatives to check, before you can give up and wait for a decryption tool. As it is stated above, fraudsters also fail, and certain specialties of the system may support you to recover information.


  • If you utilize an account without administrator authorization – it's time to compliment yourself. The matter is that the system replicates all files until their uninstalling or change. Those backups are known as the SVC, and BlackRuby2 knows how to delete them. If you are employing the user's entry – the system asks for a permission at the very second BlackRuby2 goes to remove shadow copies. If you've seen such window and ignored it – it means that the copies are secure, and might be used to recover the files.
  • A backup is the single 100% effective manner to get the files back, but you should get rid of a virus first. Ensure that the ransomware is eliminated entirely, because if it’s not – all data will be messed up instantly, including those that were kept on a flash disc.


In case you tested all these opportunities and you have no possibility to restore lost data – you should remove BlackRuby2 from the machine and expect when a decryption tool will be published.

How to remove BlackRuby2

Unfortunately, you can't completely elude an automatic mode. This ransomware is too cunning and you might miss some parts and then suffer from it (for example, when you line up a flash data storage with the saved data to a not-fully-clean computer). It also conceals damn well, so you just can't get rid of it fully in manual mode. According to this, we’ve created an effective elimination instruction that can help you to beat this issue. It has several by-hand phases and an extra AV program phase.

Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus

Here's Spyhunter AntiMalware which is not simply efficient, but is light weight and continuously developing software that will clean your device of all unwanted programs. Press the button below to use Spyhunter and remove BlackRuby2.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files

If you cleared your computer of BlackRuby2, you should try to perform the file recovery. As we said in the paragraphs above, if you use an admin entry and you let BlackRuby2 an access into the PC – there is no way to get back the files aside from the previously saved copies. If you that didn't happen – you have poor odds for file recovery, but you will need specific recovery tool. We recommend you to try ShadowExplorer and Recuva tools. You can get these programs simply on the official sites of their developers, with close instructions.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 0.00 [0 Votes]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience