Necurs Botnet Now Distributing Scarab Ransomware

The Necurs botnet is now distributing a new ransomware called Scarab.

The emails delivering the Scarab ransomware followed a pattern seen in the past with Necurs spam. The email subjects gives the illusion the attached documents were images of scanned documents.

Scarab is based on a proof-of-concept ransomware called HiddenTear and is marked as being less sophisticated than more popular variants like Locky. It is delivered via phishing emails using a .7z attachment containing a VBScript dropper. Once files are encrypted with a ‘.scarab’ extension a ransom note is dropped in each directory demanding an unspecified amount of Bitcoin be sent to the provided email address.

Detection rates for Scarab in anti-virus suites are also very high, minimising the risk it poses to organisations.




URLS FROM THE EXTRACTED VBS FILES:

• 98.124.251.75 port 80 – atlantarecyclingcenters.com – GET /JHgd476?
• 66.36.173.111 port 80 – hard-grooves.com – GET /JHgd476?
• 66.36.165.149 port 80 – hellonwheelsthemovie.com – GET /JHgd476?
• 98.124.251.75 port 80 – miamirecyclecenters.com – GET /JHgd476?
• 5.2.77.79 port 80 – pamplonarecados.com – GET /JHgd476?
• 185.57.172.213 port 80 – xploramail.com – GET /JHgd476?

IP ADDRESS CHECK BY INFECTED HOST (NOT INHERENTLY MALICIOUS):

• 88.99.66.31 port 80 – iplogger.co – GET /18RtV6.jpg

Note: The above host names may change.

EMAIL ADDRESS FROM THE DECRYPTION INSTRUCTIONS:

• [email protected]

The ransom note is peculiar because it does not mention a ransom sum, but tells users that the quicker they contact the Scarab authors via email or BitMessage, the smaller the ransom sum will be.

At this there is no known method of recovering files encrypted by the Scarab ransomware. {1st December 2017}

Affected Platforms

Microsoft Windows – All Versions

Scarab also deletes shadow volume copies and drops a ransom note named “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” on users’ computers, which it opens immediately – See image below.