Necurs Botnet Spends Thanksgiving spreading malicious Scarab Ransomware
It was Thanksgiving Day in America yesterday, and while a lot of folks were preparing themselves to spend the day surrounded by their loved ones, the people operating the Necurs botnet were quite busy. Their spam-spewing network of compromised computers had been commissioned to send out a massive wave of ransomware-rigged emails.
If you're interested in information security and hear the words "Necurs" and "ransomware" in the same sentence, you'll most likely think that the Locky ransomware is involved. Indeed, what is referred to as "the biggest spam botnet in the world" played a key role in Locky's success. Yesterday, however, Necurs wasn't delivering Locky. Instead, it spread the Scarab ransomware.
Scarab is one of the countless ransomware families that appeared in the summer of 2017. It was first spotted in the wild in June, and it never really managed to do much damage. Until yesterday, that is.
Forcepoint researchers first spotted the malicious emails around 7:30 UTC, and by 13:30 UTC, they had captured more than 12 million messages. The wave of spam was indeed huge, and the social engineering was a classic Necurs affair. VBScript downloaders were disguised as scanned images and put in 7z archives. The sending email address was spoofed to convince users that the messages really are coming from within their networks, and the subjects read "Scanned from [the name of a scanner manufacturer]." F-Secure's experts who were also monitoring the campaign noted that pretty much exactly the same techniques were used no more than two weeks ago when Necurs was still spreading Locky.
Once executed, the VBS downloader downloads the Scarab payload from a few compromised websites (some of them have been used by Locky in the past). The executable is placed in the %AppData% folder and is named "sevnz.exe." Persistence is achieved through one of the registry runkeys, and a few commands executed through cmd.exe delete the shadow volume copies and disable Windows' built-in recovery options. Then, it's on to the encryption.
Not a whole lot of details are available on how Scarab scrambles files, but according to Trend Micro's Threat Encyclopedia, the number of targeted extensions is quite long, and back in October, Michael Gillespie, the researchers who first discovered the ransomware, said that decryption of the files for free is not possible for now.
The version distributed by Necurs yesterday doesn't change the file names and instead appends ".[suupport@protonmail.com].scarab" to the extensions. Finally, a TXT ransom note titled "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" is placed in each affected folder.
The use of the Necurs botnet and the re-use of some of the payload-hosting servers might lead you to believe that the people who operate Locky are now running the Scarab campaign. A closer look at the evidence suggests otherwise, however.
In fact, from an execution standpoint, the Scarab ransomware can't hold a candle to the mighty Locky. For one, Scarab is based on the open-source HiddenTear ransomware builder which has enabled many script kiddies to dump their pathetic attempts at running a cybercrime operation on the world. There is no Tor-hosted payment page and system. Instead, victims are instructed to contact the crooks via email, and a backup communication channel is set up thanks to Bitmessage. Even the ransom amount isn't specified. Apparently, it is dependent on how quickly the victims reach out.
Scarab might not have been designed by professionals, but the mere presence of the Necurs botnet makes it effective, especially considering the lack of a free decryptor. It goes to show that in this day and age, running a ransomware operation requires nothing more than a few hours spent over the HiddenTear GitHub repository and some spare Bitcoins to rent the world's biggest botnet.
The only good news is, the spike has subsided over the last twenty-four hours (link: https://twitter.com/malwrhunterteam/status/934011921673703424). Let's hope it stays that way.