Scarab-Deep Ransomware

The Scarab-Deep Ransomware is an encryption ransomware Trojan based on the Scarab Ransomware, a threat that was first observed in November 2017. Between May and July 2018, PC security researchers have noted numerous variants of Scarab being released, possibly as part of a Ransomware as a Service (RaaS) platform or being developed using a ransomware builder kit. There is practically nothing to differentiate one variant of Scarab from another; they all carry out the same basic attack, encrypting victims' files by using an encryption algorithm. Then it will demand a ransom payment from the victim in exchange for the decryption key that will restore the files encrypted by the attack.

How the Scarab-Deep Ransomware Attack is Carried Out

The Scarab-Deep Ransomware is mostly spread through corrupted spam email attachments, which often take the form of DOCX files with embedded macro scripts. Once the Scarab-Deep Ransomware has been installed onto the victim's computer, the Scarab-Deep Ransomware will scan the victim's files in search for the user-generated files, which may include images, documents, media files, archives, backups, configuration files, databases, Web pages, etc. The following are examples of the files types that threats like the Scarab-Deep Ransomware may target in their attacks:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

The Scarab-Deep Ransomware marks the files encrypted by the attack by adding the file extension '.deep' to the affected file's name. The Scarab-Deep Ransomware delivers its ransom note in the form of a text file named 'HOW TO RECOVER ENCRYPTED FILES.TXT,' which is dropped on the infected computer's desktop. This text file contains the following message:

'Your files are now encrypted!
Your personal identifier:
[random characters]
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment, we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: mrdeep@protonmail.com'

Following the instructions or contacting the criminals using this email address can put computer users in a bad situation because they can be lured into paying the ransom and getting nothing in return. One curious aspect of the Scarab-Deep Ransomware is that its associated email address has been observed before in the case of other ransomware Trojans.

Protecting Your Data from Threats Like the Scarab-Deep Ransomware

Computer users should protect their data from the Scarab-Deep Ransomware by having file backups stored on a cloud service or external utilities. File backups ensure that any file can be restored after a Scarab-Deep Ransomware attack without having to contact the criminals or pay a ransom. A Scarab-Deep Ransomware infection can be prevented by an established security program, which also can remove this threat (although it will not restore encrypted files).