How To Remove BlackRose Ransomware Infections (Removal Guide)

Blackrose ransomware ransom note

Researchers uncovered a new virus threat called BlackRose ransomware which is a strain of Hidden Tear that can be removed by following our removal guide.

BlackRose Ransomware Description

The newest strain of the Hidden Tear open-source malware project has been identified as the Blackrose ransomware. It is made by an unknown hacker or a hacker collective and at the moment the security analysis is still ongoing. One of the detected unusual strings reads the name Gag which is probably the alias used by the development team.

At the moment the current versions of the disccovered samples contain only a basic encryption engine. This particular strain is no different than the generic ones that were popular in the past. We suspect that the people behind it are going to release updated version which may include additional features.

Upon infection the virus engine starts the encryption process which follows the basic behavior patterns that we are used to – the Blackrose ransomware encrypts file type extensions according to a predefined built-in list. At the moment we do not have access to the extracted list of targets, however we presume that the most commonly used extensions are affected: documents, music, photos, videos, configuration files and etc.

When this process is complete the engine creates a ransoomware note in a READ_IT_FOR_GET_YOUR_FILE.txt which has the following contents:

Files has been encrypted
Send me some 1 bitcoins or more to Address BITCOIN :
3Q2hTDPt1LMAAgQsNQAPJQxb9ZiwA*****
After Payment bitcoin please send your Address Bitcoin Payment to me at
[email protected]
I will give File Decryptor for you in 24HR…

Depending on the sample it may use one of the following extensions to mark the affected data: .ranranranran, .okokokokok, .loveyouisrael, .whatthefuck. A ransomware sum of one bitcoin is extorted from the victims which is the equivalent of 1200 US Dollars.

BlackRose Ransomware Distribution

The ransomware is being distributed on various hacker-controlled sites and via email spam campaigns as instructional files. The people behind the virus are distributing it under several names:

  • how to install.pdf.exe
  • how to install.exe
  • File Decryptor.exe
  • Randomly-named files

This gives the impression that the criminals are masquerading the virus as instructional files or tutorials. Sources of infection include the following:

  • Email Spam – The hackers behind the Blackrose ransomware utilize various forms of email spam scenarios. The majority of them are phishing scams which attempt to lure the victims into infecting with the virus. Depending on the campaign the Blackrose ransomware may be attached to the message posing as a file of user interest. In other cases it is linked in the body of the messages.
  • Infected Installers – The virus can be bundled directly to software installers which provide free or trial versions of popular applications, games, updates or utilities.
  • Hacked Sites – Malicious ad networks and hacker-controlled download portals are a popular source of threats like the Blackrose ransomware. P2P networks like BitTorrent trackers are also used to spread the infection.
  • IM Messages Spam – Hackers can use messaging apps to spread spam links that redirect to the virus.
  • Direct Hacker Attacks – In many cases the computer criminals initiate automated vulnerability penetration testing attacks that can lead to a Blackrose ransomware infection.

Summary of the BlackRose Ransomware


Name
BlackRose Ransomware

File Extensions
Randomly-named extension:
.ranranranran
.okokokokok
.loveyouisrael
.whatthefuck

Ransom
One Bitcoin

Easy Solution
You can skip all steps and remove BlackRose Ransomware ransomware with the help of an anti-malware tool.

Manual Solution
BlackRose Ransomware ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below.

Distribution
Spam Email Campaigns, malicious ads & etc.

BlackRose Ransomware Ransomware Removal

STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.

    1) Hit WIN Key + R

Windows-key-plus-R-button-launch-Run-Box-in-Windows-illustrated

    2) A Run window will appear. In it, write “msconfig” and then press Enter
    3) A Configuration box shall appear. In it Choose the tab named “Boot
    4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
    5) Apply -> OK

Or check our video guide – “How to start PC in Safe Mode with Networking

STEP II: Show Hidden Files

    1) Open My Computer/This PC
    2) Windows 7

      – Click on “Organize” button
      – Select “Folder and search options
      – Select the “View” tab
      – Go under “Hidden files and folders” and mark “Show hidden files and folders” option

    3) Windows 8/ 10

      – Open “View” tab
      – Mark “Hidden items” option

    show-hidden-files-win8-10

    4) Click “Apply” and then “OK” button

STEP III: Enter Windows Task Manager and Stop Malicious Processes

    1) Hit the following key combination: CTRL+SHIFT+ESC
    2) Get over to “Processes
    3) When you find suspicious process right click on it and select “Open File Location
    4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process
    5) Next you should go folder where the malicious file is located and delete it

STEP IV: Remove Completely BlackRose Ransomware Ransomware Using SpyHunter Anti-Malware Tool

Manual removal of BlackRose Ransomware requires being familiar with system files and registries. Removal of any important data can lead to permanent system damage. Prevent this troublesome effect – delete BlackRose Ransomware ransomware with SpyHunter malware removal tool.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

STEP V: Repair Windows Registry

    1) Again type simultaneously the Windows Button + R key combination
    2) In the box, write “regedit”(without the inverted commas) and hit Enter
    3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
    4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Further help for Windows Registry repair

STEP VI: Recover BlackRose Files

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

How To Restore BlackRose Files

    1) Use present backups
    2) Use professional data recovery software

      Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.
    3) Using System Restore Point

      – Hit WIN Key
      – Select “Open System Restore” and follow the steps


restore-files-using-system-restore-point

    4) Restore your personal files using File History

      – Hit WIN Key
      – Type “restore your files” in the search box
      – Select “Restore your files with File History
      – Choose a folder or type the name of the file in the search bar

    restore-your-personal-files-using-File-History-bestecuritysearch

      – Hit the “Restore” button

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts