decrypt files

Black Ruby: Combining Ransomware and Coin Miner Malware

Black Ruby Ransomware and Coin Miner

In the midst of all the news and hype surrounding cryptocurrency, we’ve seen several coin miner malware programs popping into the wild, infecting a number of computers on the internet. There’s been an upsurge in coin miner malware that victimizes individual PCs and businesses using the same techniques and exploits that were previously attributed to distributed ransomware. With all this happening, the cybersecurity industry started speculating that there is a shift from ransomware to coin miners as the preferred choice of payload for cybercriminals.

Interestingly, we found a new ransomware called Black Ruby that adds coin mining as a module on top of its ransomware capabilities.

SpriteCoin Ransomware

The new SpriteCoin ransomware (also known as MoneroPay) leverages a novel social engineering technique – posing as a new cryptocurrency called SpriteCoin. It packs a one-two punch as well, combining a cryptolocker and password stealer in a single application.

The link to the SpriteCoin homepage was published on the bitcointalk.org forum and spread among users interested in new cryptocurrencies. The topic was removed when its malicious nature was revealed, but let’s take a look at the details.

Rapid Ransomware

The Rapid ransomware variant began attacking victims at the end of December 2017, according to the ID ransomware service Malwarehunterteam. This ransomware strain is interesting and unique because it keeps running even after encryption is completed, and continues encrypting files once they are created. Our team analyzed a new sample that was compiled a week ago.