Necurs Botnet Now Distributing Scarab Ransomware
The Necurs botnet is now distributing a new ransomware called Scarab.
The emails delivering the Scarab ransomware followed a pattern seen in the past with Necurs spam. The email subjects gives the illusion the attached documents were images of scanned documents.
Scarab is based on a proof-of-concept ransomware called HiddenTear and is marked as being less sophisticated than more popular variants like Locky. It is delivered via phishing emails using a .7z attachment containing a VBScript dropper. Once files are encrypted with a ‘.scarab’ extension a ransom note is dropped in each directory demanding an unspecified amount of Bitcoin be sent to the provided email address.
Detection rates for Scarab in anti-virus suites are also very high, minimising the risk it poses to organisations.
URLS FROM THE EXTRACTED VBS FILES:
- 98.124.251.75 port 80 – atlantarecyclingcenters.com – GET /JHgd476?
- 66.36.173.111 port 80 – hard-grooves.com – GET /JHgd476?
- 66.36.165.149 port 80 – hellonwheelsthemovie.com – GET /JHgd476?
- 98.124.251.75 port 80 – miamirecyclecenters.com – GET /JHgd476?
- 5.2.77.79 port 80 – pamplonarecados.com – GET /JHgd476?
- 185.57.172.213 port 80 – xploramail.com – GET /JHgd476?
IP ADDRESS CHECK BY INFECTED HOST (NOT INHERENTLY MALICIOUS):
- 88.99.66.31 port 80 – iplogger.co – GET /18RtV6.jpg
Note: The above host names may change.
EMAIL ADDRESS FROM THE DECRYPTION INSTRUCTIONS:
The ransom note is peculiar because it does not mention a ransom sum, but tells users that the quicker they contact the Scarab authors via email or BitMessage, the smaller the ransom sum will be.
At this there is no known method of recovering files encrypted by the Scarab ransomware. {1st December 2017}
Affected Platforms
Microsoft Windows – All Versions
Scarab also deletes shadow volume copies and drops a ransom note named “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” on users’ computers, which it opens immediately – See image below.


Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.