FANDOM


Scarab or ScarabLocker is a ransomware that runs on Microsoft Windows. It was discovered by Michael Gillespie. It is believed to be a HiddenTear variant. It is aimed at English-speaking users.

Payload

Transmission

Scarab is distributed by acking through an insecure RDP configuration. It can also be spread using email spam and malicious attachments, deceptive downloads, botnets (Necurs and others), exploits, web injects, fake updates, repackaged and infected installers.

The emails delivering the Scarab ransomware followed a pattern seen in the past with Necurs spam. The email subjects gave the illusion the attached documents were images of scanned documents. The most popular subject lines seen were:

    Scanned from Lexmark
    Scanned from HP
    Scanned from Canon
    Scanned from Epson

These emails carried a 7Zip archive that contained a Visual Basic script. The script would download and run an EXE file —the Scarab ransomware.

This Visual Basic script contained the same Game of Thrones references that were seen in September in Necurs campaigns that pushed Locky.

Infection

In its infection process, Scarab will scan the victim's computer in search for certain file types and then encrypt them using a strong encryption algorithm. Scarab will encrypt 3,514 extensions. 

After encrypting the victim's files, Scarab will create a ransom note, which will take the shape of a text file dropped on the infected computer's desktop and in directories where Scarab encrypted content. During its attack, Scarab also will interfere with alternate recovery methods, deleting the Windows Restore points and the Shadow Volume Copies that could be used to restore the affected files to their former states.

The text file used to deliver Scarab's ransom note is titled 'IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT' and contains the following message:

*** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS ***
Your files are now encrypted!
-----BEGIN PERSONAL IDENTIFIER-----
**************************************
-----END PERSONAL IDENTIFIER-----
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: qa458@yandex.ru
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 5Mb (non archived), and files should not contain valuable information 
(databases, backups, large excel sheets, etc)..
How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
'Buy bitcoins', and select the seller by payment method and price:
hxxps://localbitcoins.com/buy_bitcoins
* Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) 
or you can become a victim of a scam.

Variants

  • Scorpio: It is believed to be the first new update to the original variant of Scarab ransomware. The most noticeable features of this virus are its ability to crack the computer in multiple different stages.Firstly, it settles on the computer with the help of bogus scripts executed via Command Prompt Admin. The next phase encompasses data encryption. Scorpio ransomware scans the system for targeted files, applies AES cipher to lock them, and eventually appends .[Help-Mails@Ya.ru].scorpio file extension to distinguish them from the others. The final phase is informative. Scorpio virus generates a ransom note named IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.txt. The file contains a unique victim's ID, and contact information, including email address (Help-Mails@Ya.Ru and alexous@bk.ru).
  • Crypto: It is the name of the next Scarab ransomware version detected in the second half of March 2018. Just like its ancestors, it uses AES cryptography and targets the most popular file types. Its distinctive feature is a .crypto file extension and HOW TO RECOVER ENCRYPTED FILES.TXT file. It instructs the victim to email Scarab-Crypto ransomware developers via anticrypto@protonmail.com and indicate a personal identification number.
  • Amnesia: Not to be confused with Amnesia (Globe), it was spotted at the end of March 2018. This version spreads via Necurs botnet and executed its payload when the potential victim extracts a 7Zip email attachment. Likewise other Scarab versions, it uses AEX-256 encryption algorithm. However, it can easily be distinguished from the rest of Scarab versions by an .amnesia file extension added to locked files. The list of targeted files:
.Png, .psd, .pspimage, .tga, .thm, .tif, .tiff, .yuv, .ai, .eps, .ps, .svg, .indd, 
.pct, .pdf, .xlr, .xls, .xlsx, .accdb, .db, .dbf, .mdb, .pdb, .sql, .apk, .app, 
.bat, .cgi, .com, .exe, .gadget, .jar, .pif, .wsf, .dem, .gam, .nes, .rom, .sav, 
.dwg, .dxf, .gpx, .kml, .kmz, .asp, .aspx, .cer, .cfm, .csr, .css, .htm, .html, 
.js, .jsp, .php, .rss, .xhtml, .doc, .docx, .log, .msg, .odt, .pages, .rtf, .tex, 
.txt, .wpd, .wps, .csv, .dat, .ged, .key, .keychain, .pps, .ppt, .pptx, .ini, .prf, 
.hqx, .mim, .uue, .7z, .cbr, .deb, .gz, .pkg, .rar, .rpm, .sitx, .tar.gz, .zip, 
.zipx, .bin, .cue, .dmg, .iso, .mdf, .toast, .vcd, .sdf, .tar, .tax2014, .tax2015, 
.vcf, .xml, .aif, .iff, .m3u, .m4a, .mid, .mp3, .mpa, .wav, .wma, .3g2, .3gp, .asf, 
.avi, .flv, .m4v, .mov, .mp4, .mpg, .rm, .srt, .swf, .vob, .wmv, .3d, .3dm, .3ds, 
.max, .obj, .r.bmp, .dds, .gif, .jpg, .crx, .plugin, .fnt, .fon, .otf, .ttf, .cab, 
.cpl, .cur, .deskthemepack, .dll, .dmp, .drv, .icns, .ico, .lnk, .sys, .cfg.
  • Please: At the end of March 2018, security experts discovered Please that is using AES encryption to modify targeted files. It is appending .please file extension to target data and dropping a ransom note “HOW TO RECOVER ENCRYPTED FILES.TXT” on a desktop. This message informs the victim to use an email called decry1@cock.li or decry2@cock.li to contact its developers and get further instructions needed for the recovery of affected files. Cybercriminals are also claiming that the victim can test the decryption procedure to ensure that it is possible. However, we do not recommend contacting hackers. 
  • Decrypts: It's more or less similar to its ancestors, though exhibits different file extensions and the ransom note. Written on Delphi, it takes advantage of AES-256 cipher to attack victim's files and render them useless by altering their file extension. Following the encryption phase, each locked file gets either .decrypts @ airmail.cc or .decryptsairmail.cc file extension. Consequently, the owner cannot dispose of them in any way. The Scarab-Decrypts ransomware provides its victims with a ransom note called HOW TO RECOVER ENCRYPTED FILES-decrypts@airmail.cc.TXT.  It does not say much, except that the files have been encrypted and provides an email address which asks the victim to contact to decrypts@airmail.cc and provide a unique identification number for further instructions.
  • Horsia: It was spotted at the beginning of May 2018. Disguised under 7Zip and otherwise named email attachments, the ransomware targets English-speaking PC users. Once it's installed, malicious processes start running in the background to protect the Horsia ransomware from removal. 

Encrypted files are easy to notice as they get .horsia@airmail.cc file extension, which cannot be modified manually. Besides, each folder, including the desktop, contains a HOW TO RECOVER ENCRYPTED FILES.TXT file explaining the current situation, including payment and contact information.

  • Walker: It changes all media, video, text and other personal files and makes them unusable by adding .JohnnieWalker extension. 

As usual, after data encryption, Walker drops a ransom note in the .txt format, explaining the situation to the user. Hackers demand payment in Bitcoins. Soon after the ransom is paid, users are prompted to e-mail JohnnieWalker@firemail.cc and include their personal ID. Additionally, cybercrooks offer to unlock one file to prove that data is decryptable.

  • Fastrecovery@airmail.cc: It drops a ransom note HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT into each folder which explains about files' encryption using RSA-2048 cipher. The only way to recover locks files is said to be a special decryprion key that is stored by criminals on a remote server.
  • Osk: It encrypts data by using AES cipher. It is using .osk extension to mark every affected file. Hackers ask for 0.013 Bitcoin in HOW TO RECOVER ENCRYPTED FILES.txt message to be paid and then email sent to translatos@protonmail.com for further instructions and the decryptor. 
  • DiskDoctor: Differently from previous variants, this one appends .DiskDoctor file extension to the targeted files. But it still displays data recovery instructions in the text file called “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.”

In the ransom note, crooks demand to contact them via DiskDoctor@protonmail.com email address in order to learn about data recovery possibilities. However, we do not recommend trying to get back your files in this way. Crooks will demand to transfer a few hundreds of dollars in Bitcoins in order to get a decryption tool.

  • Good: In June 2018, researchers detected a few version of Scarab and this one is decryptable with Dr. Web. “.good” is a file extension that virus adds to modified files and “filedecryption@prorotnmail.com” is the contact email address. As typical for the Scarab family ransom note is placed in file “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.”. This contains information about encryption and what to do but no specifics about the ransom or decryption. This version came to the light alongside other ones. 
  • Leen: It encrypts files using the .leen extension. As soon as that is complete, a ransom note is placed in every folder. “INSTRUCTIONS FOR RESTORING FILES.TXT.” contains information about this certain attack:
Contact us using this email address: mr.leen@protonmail.com

Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).
  • Danger: This variant uses RSA-2048 encryption algorithm. “.fastrecovery@xmpp.jp” is a file extension that this virus adds after the modification is complete. Typical “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.” ransom message placed on pretty much every folder on the PC. Information about changing contacts and encryption method is the main useful things in the note.
  • Oneway: This version is targeting Russian-speakers because while this adds “.oneway” file extension the ransom note called “Расшифровать файлы oneway.TXT.” Email address “bm15@horsefucker.org” is provided in the message and the note contains more information about test decryption and the attack itself. 
  • BtcKING: Encryption is done in a similar way and “.BtcKING” file extension looks like other previous versions. Also, this variant places ransom message called ” How To Decode Files.txt” on every existing folder on the system and desktop.
  • Bomber: It targets Russian victims. This ransomware appends photo, video, text and other files with “.bomber” file extension so it is easily detected which ones are modified. After this encryption process is completed virus creates a ransom note “HOW recover encrypted FAYLY.TXT” and the user can have more details about the attack. This is placed on your desktop and in every folder where you can find modified files. This version displays soft2018@tutanota.com; soft2018@mail.ee; newsoft2018@yandex.by as possible contact emails.
  • JungleSec: Encryption is done while appending “.jungle@anonymousspechcom” extension to modified files. And after that ransom note, “ENCRYPTED.md” is placed in multiple places on the system. In this file, the user can discover that virus developers demand certain 0.3 in Bitcoin and state their contact email as “junglesec@anonymousspeech.com” which the user is suggested to contact after the payment is done. 
  • Recme: After the encryption process, during which “.recme” file extension is placed on your photos, videos, text or archive files, this ransomware creates ransom message called “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.”. In this message, the user can find more details about the cyber attack.
  • Dan: This version of Scarab ransomware came alongside the previous five is the one that adds “.dan@cock.email” file extension to targeted files. These can be anything from images, photos or videos to text files or even archives. After this modification is complete, the user can find the ransom note file “HOW TO RECOVER ENCRYPTED FILES-dan@cock.emai.TXT”. This is a ransom message that often contains various information about the initial attack and instructions for the victim. 
  • Recovery: It is written in Delphi programming language and uses AES to lock up data. The crypto-virus adds .BD.Recovery extension to each of the affected file and drops ransom note “HOW TO RECOVER FILES.TXT” which states that victims should email crooks via bd.recovery@aol.com or bd.recovery@india.com.
  • Turkish: This variant focuses on Turkish users. However, all the Turkish characters were replaced by English letters, making it impossible to understand. The virus uses AES to encrypt data and ads [Firmabilgileri@bk.ru] appendix to each of the affected files, which is also a contact email of cybercriminals.
  • Barracuda: It encrypts files and adds .BARRACUDA file extension. The virus is closely related to Rebus and can be decrypted.
  • zzzzzzzz: This variant appends the .zzzzzzzz file extension after using an encryption algorithm to scramble the code of separate files. Keys which are required to unlock encrypted files and saved in external servers which can be reached only by cybercriminals. According to the ransom note, victims have 5 days to unlock files by paying a ransom. The payment should be made either in Bitcoin or Dash cryptocurrency.
Community content is available under CC-BY-SA unless otherwise noted.