Threat Database Ransomware Scarab-DiskDoctor Ransomware

Scarab-DiskDoctor Ransomware

By GoldSparrow in Ransomware

The Scarab-DiskDoctor Ransomware is an encryption ransomware Trojan that belongs to a large family of ransomware Trojans that has received an increased activity in May-June 2018. Numerous new members of the Scarab family of ransomware were released starting in April 2018. The Scarab-DiskDoctor Ransomware was first observed in early June and is identical to its predecessors, using the AES encryption to make the victim's files inaccessible and then demanding payment to restore the affected files. The victims are asked to contact the criminals behind the Scarab-DiskDoctor Ransomware via its ransom note, which includes an email address for contact.

The Vicious Attack Executed by the Scarab-DiskDoctor Ransomware

The Scarab-DiskDoctor Ransomware uses an encryption technique that is easy to be recognized because the Scarab-DiskDoctor Ransomware will add the file extension '.DiskDoct' to each affected file. However, the Scarab-DiskDoctor Ransomware, unlike similar threats, does not change the affected files' names. The Scarab-DiskDoctor Ransomware will encrypt a wide variety of the user-generated file types while avoiding the Windows system files. One aspect of the Scarab-DiskDoctor Ransomware that is unusual, however, is that the Scarab-DiskDoctor Ransomware seems to also target DLL files in its attack, which are often avoided by similar threats. The Scarab-DiskDoctor Ransomware targets the following file types with its encryption component, which makes them inaccessible:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The Scarab-DiskDoctor Ransomware may be delivered in the form of an executable file with a random name. The Scarab-DiskDoctor Ransomware encrypts the targeted files and then delivers a ransom note in the form of a text file that is named 'HOW TO RECOVER ENCRYPTED FILES.TX.' The whole text of the Scarab-DiskDoctor Ransomware ransom note reads:

'Warning all your files are encrypted !!!
To receive the decoder, you must send an email to the email address with your personal ID:
DiskDoctor@protonmail.com
In response you will receive further instructions.
ATTENTION !!!
* Do not attempt to uninstall the program or run antivirus software.
* Attempts to self-decrypt files will result in the loss of your data.
* Decoders of other users are incompatible with your data, as each user has a unique encryption key.
Your personal identifier:
[alpha-numerical string]'

The Scarab-DiskDoctor Ransomware's ransom note also includes an ASCII image, a picture drawn using ASCII characters entirely. This image depicts a devil holding a trident.

Protecting Your Data from Threats Like the Scarab-DiskDoctor Ransomware

The rise in attacks in the Scarab family shows no sign of subsiding. PC security researchers suspect that it is possible that the criminals have released Scarab in the form of a RaaS (Ransomware as a Service) attack, which may account for the numerous variants in the Scarab-DiskDoctor Ransomware attack, which all use the same code. The distribution method to deliver these threats to the victims' computers doesn't seem to vary too much. These threats are either delivered by using corrupted spam email attachments or through compromised advertising. Criminals also can install them directly by taking advantage of poorly protected RDP connections or other vulnerabilities. The best protection against the Scarab-DiskDoctor Ransomware is to have file backups to allow for quick recovery of any of the affected files.

Update September 17th, 2018 — 'mammon-decrypt@protonmail.com' Ransomware

The name 'mammon-decrypt@protonmail.com' Ransomware is associated with a modified version of the Scarab-DiskDoctor Ransomware. As you may know, the Scarab Ransomware is a Ransomware-as-a-Service (RaaS) business where malware developers help other cyber-threat actors deploy and use encryption Trojans based on their code. Examples of forked Trojans include the Scarab-Glutton Ransomware, the Scarab-Walker Ransomware and the Scarab-Osk Ransomware. The 'mammon-decrypt@protonmail.com' Ransomware is a modified copy of the Scarab-DiskDoctor Ransomware, which was created using the Scarab RaaS Builder in the first place. The 'mammon-decrypt@protonmail.com' Ransomware was reported on September 17th, 2018 and appears to be distributed via spam emails and phishing pages.

The new version of the Scarab-DiskDoctor Ransomware is known to add the '.mammon-decrypt@protonmail.com' and the '.decoder-help@protonmail.com' extensions to the filenames. For example, 'James Bond-Goldfinger 1964.mp4' may be renamed to 'James Bond-Goldfinger 1964.mp4.mammon-decrypt@protonmail.com' or 'James Bond-Goldfinger 1964.mp4.decoder-help@protonmail.com' depending on the version of the Scarab-DiskDoctor Ransomware found on the infected device. The ransom notes used by the 'mammon-decrypt@protonmail.com' Ransomware feature names like HOW TO RETURN FILES.TXT, HOW TO RECOVER ENCRYPTED FILES.TXT, HOW TO RECOVER ENCRYPTED FILES1.TXT and HOW TO RECOVER ENCRYPTED FILES2.TXT. The ransom notes related to the 'mammon-decrypt@protonmail.com' and the 'decoder-help@protonmail.com' email accounts are recorded to offer the following message:

'Warning all your files are encrypted !!!
To receive the decoder, you must send an email to
the email address with your personal ID:
[email address]
In response you will receive further instructions.
ATTENTION !!!
* Do not attempt to uninstall the program or run
antivirus software.
* Attempts to self-decrypt files will result in the
loss of your data.
* Decoders of other users are incompatible with your
data, as each user has a unique encryption key.
Your personal identifier:
=============
[random characters]
============='

Trending

Most Viewed

Loading...