The Scarab ransomware, which was first discovered last June 2017, was recently distributed to around 12.5 million emails using a botnet called Necurs.
Necurs botnet is a prevalent malware distributor. It militarizes up to 6 million zombie endpoints, delivers some of the worst banking Trojans and ransomware threats in batches of millions of emails at a time, and it keeps reinventing itself since the start of its operations.
Necurs botnet has been the distributor of fierce malware such as Dridex banking Trojan, Trickbot banking Trojan, Locky ransomware, and Jaff ransomware.
On 23 November 2017, the Scarab ransomware was largely distributed in six (6) hours to 12.5 million users. It was distributed by the Necurs botnet in spam emails containing subject lines such as “Scanned from Lexmark, Epson, HP & Canon.” The said malicious email contain a malicious VBScript that downloads the payload.
The Scarab ransomware, after infecting the system, encrypts the files. It does not rename the user’s files but appends a new file extension with “.[firstname.lastname@example.org].scarab” to the encrypted files.
The ransom note is then dropped with the filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT.” The ransom note claims that the price to decrypt the files back depends on how quick the user responds.
Despite its wide distribution, the Scarab ransomware is less sophisticated that most ransomware. Its code is simple and could be detected by average anti-virus applications.
The following image is the screenshot of the ransom note:
Considering that the Scarab ransomware only employs the conventional scheme of distribution, through malicious emails, said attack can easily be halted by avoiding access to unwarranted emails and keeping anti-virus applications up-to-date. In this light, cyber-security firms should instead be wary of Necurs botnet, which could strongly aid more sophisticated attacks in the future.