Scarab-Oblivion Ransomware

The Scarab-Oblivion Ransomware is an encryption ransomware Trojan that belongs to a large family of file encryption ransomware Trojans known as Scarab or Amnesia. The Scarab-Oblivion Ransomware was first observed on April 28, 2018, and is part of a wave of ransomware in this family released in the same month. A variant of the Scarab-Oblivion Ransomware known as Scarab-XTBL was released only a few months before. The Scarab-Oblivion Ransomware may have been created using a ransomware builder, and the large number of variants in the Scarab-Oblivion Ransomware family released in April 2018 alone may indicate an intent on the part of the con artists responsible for the attack to try to overwhelm security software and analysts with as many variants of this attack as possible. The Scarab-Oblivion Ransomware, like the majority of the encryption ransomware Trojans, is designed to take the victims' files hostage, encrypting them and then demanding a ransom payment from the victim in exchange for decryption key necessary to restore access to the affected files.

There's no Oblivion When the Scarab-Oblivion Ransomware Attacks Your Files

The Scarab-Oblivion Ransomware is based on HiddenTear, an open source ransomware platform that has been responsible for numerous threats since it was first released in 2015. The Scarab-Oblivion Ransomware uses a strong AES encryption algorithm to make the victim's files inaccessible. The Scarab-Oblivion Ransomware targets the user-generated files, which may include media files, databases and numerous documents. The following are some of the file types that may be targeted by this type of attack:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The Scarab-Oblivion Ransomware will mark the files encrypted by its attack with the file extension '.OBLIVION,' added to the end of each affected files' names. Other variants of the Scarab-Oblivion Ransomware are marking the affected files in recent attacks with file extensions such as the following: '.PLEASE,' '.XTBL,' '.[Jackie7@asia.com],' '.amnesia,' '.crypto' and '.scarab.' While the Scarab-Oblivion Ransomware demands a ransom payment to the email addresses 'obliviondecrypt@cock.li' and 'obliviondecrypt@protonmail.com,' variants of the Scarab-Oblivion Ransomware have been associated with the following email addresses:

• anticrypto@protonmail.com
• decry1@cock.li
• decry2@cock.li
• jackie7@asia.com
• joxe1@cock.li
• westlan@protonmail.ch

The Scarab-Oblivion Ransomware's Ransom Demand

The Scarab-Oblivion Ransomware may deliver a ransom note in the form of a text file named 'OBLIVION DECRYPTION INFORMATION.TXT,' which is dropped on the infected computer's Desktop. The following text was observed in a ransom note associated with a previous version of the Scarab-Oblivion Ransomware (although it is not likely that newer variants of the Scarab-Oblivion Ransomware will be different from this one substantially):

'IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS
email - joxel@cock.li
Your files are now encrypted!
BEGIN PERSONAL IDENTIFIER
[RANDOM CHARACTERS]
END PERSONAL IDENTIFIER
All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: joxel@cock.li'