Scarab Ransomware

Scarab Ransomware Description

The Scarab Ransomware is an encryption ransomware Trojan that was observed on June 13, 2017. The Scarab Ransomware is one of the many HiddenTear variants that are active currently. HiddenTear, an open source ransomware Trojan released in 2015, has spawned countless threat variants since its code was made available to amateur con artists looking to carry out these attacks. The most common way of distributing the Scarab Ransomware is by including it as a corrupted file attachment in spam email messages. The Scarab Ransomware can be identified easily because it will mark the files it encrypts with the file extension '.scarab,' which is included to the end of the affected file's name. There is little to differentiate the Scarab Ransomware from other ransomware Trojans, which encrypt the victim's files and then demand the payment of a ransom in exchange for the decryption key necessary to recover the affected files.

The Sacred Beetle Devoted to Ruin Files

In its infection process, the Scarab Ransomware will scan the victim's computer in search for certain file types and then encrypt them using a strong encryption algorithm. After encrypting the victim's files, the Scarab Ransomware will create a ransom note, which will take the shape of a text file dropped on the infected computer's desktop and in directories where the Scarab Ransomware encrypted content. During its attack, the Scarab Ransomware also will interfere with alternate recovery methods, deleting the Windows Restore points and the Shadow Volume Copies that could be used to restore the affected files to their former states. The text file used to deliver the Scarab Ransomware's ransom note is titled 'IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT' and contains the following message:

'*** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS ***
Your files are now encrypted!
-----BEGIN PERSONAL IDENTIFIER-----
**************************************
-----END PERSONAL IDENTIFIER-----
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: qa458@yandex.ru
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 5Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc)..
How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
'Buy bitcoins', and select the seller by payment method and price:
hxxps://localbitcoins.com/buy_bitcoins
* Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

Dealing with the Scarab Ransomware Infection

The best way to deal with encryption ransomware threats like the Scarab Ransomware is to restore your files from a backup copy. PC users must refrain from paying the ransom the Scarab Ransomware demands. The people responsible for the Scarab Ransomware attack are just as likely to ignore your payment as they are to demand more money or attempt to re-infect your computer. Furthermore, paying the Scarab Ransomware ransom allows these people to continue creating these threats. Fortunately, having backups on an external memory device is so effective against ransomware Trojans like the Scarab Ransomware that if enough computer users do it, these attacks will disappear altogether, since these people would no longer have any leverage over their victims, to demand a ransom payment.

Update November 10th, 2018 — 'dou876sh@tuta.io' Ransomware

The 'dou876sh@tuta.io' Ransomware is a file cryptor program that was announced on November 10th, 2018. The 'dou876sh@tuta.io' Ransomware is produced by major threat actors who you may know for the Scarab Ransomware. Computer security researchers note that the 'dou876sh@tuta.io' Ransomware is classified as an updated version of the Scarab Trojan that uses two new emails, a new file marker, new command servers, and a slightly altered encryption procedure. The 'dou876sh@tuta.io' Ransomware may feature a lackluster name, but you should take into consideration that most versions of the Scarab Ransomware feature behind the scenes changes and they are hard to distinguish easily. Also, the Scarab Ransomware is operated as a service provided to third-party threat actors who act as distributors for the threat product.

The 'dou876sh@tuta.io' Ransomware is dispersed via spam emails and macro-enabled documents that may be presented as notices from Web services and updates from social media. PC users are advised to disable the macro functionality in their word processors and ignore messages from questionable email accounts. The threat is known to encode photos, music, video, text and databases on compromised devices. The new variant is designed to attach the '.crypted034' suffix to the filenames and propose victims to buy a decryptor via email. For example, 'Pluto's Gate.docx' is renamed to 'Pluto's Gate.docx.crypted034' and a ransom note named 'HOW TO RECOVER ENCRYPTED FILES.TXT' appears on the user's screen. The ransom notification used with the 'dou876sh@tuta.io' Ransomware is identical to the one used by the Scarab-Walker Ransomware. There are no big changes other than the emails provided for contact. The Trojan at hand used the 'dou876sh@tuta.io' and the 'dou876sh@mail.ee' email account to offer decryption services.

It is recommended to remove the 'dou876sh@tuta.io' Ransomware using a reliable anti-malware tool and avoid writing to both emails used with the ransomware campaign. The 'dou876sh@tuta.io' Ransomware may run as 'osk.exe' on systems and attempt to stop database processes that may be running at the time of the infection. AV Engines flag resources associated with the 'dou876sh@tuta.io' Ransomware using the following alerts:

Mal/Generic-S
Ransom_SCARAB.THAAABAH
TR/AD.ZardRansom.dfarj
Trojan ( 004f700b1 )
Trojan.Generic.D26D41EA
Trojan.GenericKD.40714730
Trojan:Win32/Skeeyah.A!rfn
W32/Trojan.QMOM-8742
Win32/Filecoder.FS
malicious_confidence_80% (W

Update November 26th, 2018 — 'stevenseagal@airmail.cc' Ransomware

The name — 'stevenseagal@airmail.cc' Ransomware is associated with a new variant of the Scarab Ransomware, which was reported on November 26th, 2018. Computer security experts alert that the new variant is distributed via spam emails, corrupted documents, and advertisements hosted on compromised Web pages. The Trojan at hand is named after the most obvious change in the attack pattern. The 'stevenseagal@airmail.cc' Ransomware encodes standard file formats and adds the '.stevenseagal@airmail.cc' extension to them. For example, 'Brisbane.docx' is encrypted and renamed to 'Brisbane.docx.stevenseagal@airmail.cc.' The threat deletes the original data found on compromised systems along with any Shadow Volume snapshots saved by Windows. The System Restore points are removed by using the command line tool, and a ransom note is dropped to the screen. The 'stevenseagal@airmail.cc' Ransomware appears to use the same ransom note as the Scarab-Bomber Ransomware. The threat actors made sure to leave 'HOW TO RECOVER ENCRYPTED FILES.TXT' to the victim's desktop and offer the following message:

'Your files are now encrypted!
Your personal identifier:
[random characters]
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins.
The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: stevenseagal@airmail.cc
If you don't get a reply for 12 hours or if the email dies, then contact us using jabber(XMPP).
Download it form here: https://www.pidgin.im/ install it Next download https://otr.cypherpunks.ca/ install it
Register here - https://www.xmpp.jp/signup?lang=en
In pidgin turn on module OTR After write us in pidgin - helpersmasters@xmpp.jp (It is not a mail,xmpp)
Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).'

As you can see above, the Trojan directs users to send an email to 'stevenseagal@airmail.cc' and use an XMPP-enabled messenger application to contact 'helpersmasters@xmpp.jp.' Computer security experts that track the development of new Scarab-based threats advise the users to disable macros in their word processor and install the latest security patches to minimize the risk of infection with the 'stevenseagal@airmail.cc' Ransomware. You should remove the cyber-threat using a reliable anti-malware utility and avoid paying the ransom. Funding the production of new variants should be the last thing you would want to do. Use a backup manager to restore your data and keep your money.

Update November 26th, 2018 — 'lolitahelp@cock.li' Ransomware

Another update to the Scarab Ransomware line of Trojans involves the 'lolitahelp@cock.li' Ransomware Trojan. The 'lolitahelp@cock.li' Ransomware was reported on the same day as the 'stevenseagal@airmail.cc' Ransomware. The 'stevenseagal@airmail.cc' Ransomware is based on the original Scarab Ransomware that evolved into a Ransomware-as-a-Service platform in late 2017. The 'lolitahelp@cock.li' Ransomware features minimal changes compared to Scarab-based Trojans we reported in November 2018. The 'lolitahelp@cock.li' Ransomware is programmed to encode family photos, text, eBooks, spreadsheets, databases, video, and audio recordings found on infected machines. The 'lolitahelp@cock.li' Ransomware may enter the systems via corrupted DOCX files and PDFs. The most notable trait of the 'lolitahelp@cock.li' Ransomware is that the encrypted files feature the '.lolita' extension and something like 'Canberra.pptx' is renamed to 'Canberra.pptx.lolita.' The ransom note is provided as '_How to restore files.TXT' and reads:

'Your files are now encrypted!
Your personal identifier:
[random characters]
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins.
The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: lolitahelp@cock.li
If you don't get a reply for 12 hours or if the email dies, then contact us using this email: lolitahelp@protonmail.com
Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).'

The threat actors are using two emails for negotiations with their victims. The threat is reported to refer to the 'lolitahelp@cock.li' and the 'lolitahelp@protonmail.com' email accounts. PC users that may have missed to back up their data may be willing to write to the emails provided by the 'lolitahelp@cock.li' Ransomware. However, that is a bad idea because the threat actors may not send you a decryptor even if you have transferred hundreds of dollars to their cryptocurrency account. A better choice you can make is to boot the System Recovery disk, use email services to restore documents you may have sent to friends and use file storage services like Dropbox to download older versions of your files. Remember to disable macros in your processor as it is a feature often exploited by these attacks.

Detection names for the 'lolitahelp@cock.li' Ransomware include:

BehavesLike.Win32.Ransom.hc
Ransom:Win32/Pulobe.A
Ransom_Pulobe.R011C0DKK18
Trojan.GenericKD.31358848
Trojan.Win32.Generic.4!c
Trojan/Win32.Msht
W32/GenKryptik.CQSJ!tr
Win32.Trojan.Msht.Sueh
Win32/Trojan.3fe
malicious_confidence_100% (W)
variant of Win32/Kryptik.GMXI

Update November 27th, 2018 — 'wewillhelp@airmail.cc' Ransomware

The 'wewillhelp@airmail.cc' Ransomware is generic encryption Trojan that is categorized as a variant of the infamous Scarab Ransomware. The 'wewillhelp@airmail.cc' Ransomware is distributed the same way that most of the Scarab-based threats are propagated — spam emails that carry a macro-enabled document. The threat actors favor the use of fake CVs and product delivery reports from Amazon. The 'wewillhelp@airmail.cc' Ransomware is named after one of the contacts listed in its ransom note. Also, the Trojan is known to promote an XMPP account named 'helpersmasters@xmpp.jp' for "technical support." The 'wewillhelp@airmail.cc' Ransomware is designed to apply a custom cipher to images, audio, video, databases, text, PDFs and eBooks. The 'wewillhelp@airmail.cc' Ransomware follows the same principles as the Scarab-Enter Ransomware and appends a custom suffix so that the users can estimate how much data was compromised by the attack. The first wave of incidents associated with the 'wewillhelp@airmail.cc' Ransomware shows that it appends the '.wewillhelp@airmail.cc' file marker. For example, 'Melbourne.jpeg' is renamed to 'Melbourne.jpeg.wewillhelp@airmail.cc' and a ransom note titled 'HOW TO RECOVER ENCRYPTED FILES.TXT' can be found on the desktop. The ransom notification coming with the 'wewillhelp@airmail.cc' Ransomware reads:

'Your files are now encrypted!
Your personal identifier:
[random characters]
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins.
The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: wewillhelp@airmail.cc
If you don't get a reply for 12 hours or if the email dies, then contact us using jabber(XMPP).
Download it form here: https://www.pidgin.im/ install it Next download https://otr.cypherpunks.ca/ install it
Register here - https://www.xmpp.jp/signup?lang=en
In pidgin turn on module OTR After write us in pidgin - helpersmasters@xmpp.jp (It is not a mail,xmpp)
Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).'

We recommend that the users avoid contact with the threat actors via the email — 'wewillhelp@airmail.cc,' the Pidgin account — 'helpersmasters@xmpp.jp,' as well as other contacts that may be listed. You should eliminate the traces of the 'wewillhelp@airmail.cc' Ransomware with the help of a trusted anti-malware instrument and boot backup images. Unfortunately, threats like the 'wewillhelp@airmail.cc' Ransomware employ the same secure encryption technologies as dominant Internet services (Facebook for example) to secure data transmissions, and it is impossible to break the encryption suing present-day machines. You may choose to keep the encrypted data just in case if a free decryptor becomes available in the future. The only reliable protection against permanent damage to your files is to have backups at all times.

Update November 29th, 2018 — 'online24files@airmail.cc' Ransomware

The 'online24files@airmail.cc' Ransomware is a variant in the Scarab family of ransomware Trojans, a large family of threats that have received numerous variants in 2018. PC security researchers suspect that Scarab has been released in the Dark Web as a RaaS (Ransomware as a Service) or as a builder kit, allowing for numerous variants of these threats to be created by various criminals attempting to carry out malware attacks.

How the 'online24files@airmail.cc' Ransomware Attack Works

The 'online24files@airmail.cc' Ransomware attack is not too sophisticated. Typically, the 'online24files@airmail.cc' Ransomware is delivered to the victim's computer by using corrupted email attachments. Once the 'online24files@airmail.cc' Ransomware is installed, it will attempt to take the victim's files hostage. To do this, the 'online24files@airmail.cc' Ransomware will use a strong encryption algorithm to make the victim's files inaccessible. The 'online24files@airmail.cc' Ransomware's attack uses the AES and RSA encryptions. The 'online24files@airmail.cc' Ransomware and similar threats target the user-generated files, which may include a wide variety of file types, such as databases, media files and documents. The following are examples of the files that are threatened by Trojans like the 'online24files@airmail.cc' Ransomware:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The 'online24files@airmail.cc' Ransomware's Ransom Demands

The 'online24files@airmail.cc' Ransomware will rename the files it targets, scrambling their names and adding its contact email address in the form of a new extension for the infected files. The 'online24files@airmail.cc' Ransomware also delivers a ransom note in the form of a text file dropped on the infected computer's desktop. The 'online24files@airmail.cc' Ransomware ransom note is nearly identical to those used by other Scarab variants, and reads as follows:

'The file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.
=============
[contact email]
=============
Your files are encrypted!
Your personal identifier:
[hex string]
=============
To decrypt files, please contact us by email:
infovip@airmail.cc
=============
The file is encrypted with the RSA-2048 algorithm, only we can decrypt the file'

Computer users are recommended to refrain from contacting the criminals or following the instructions in the 'online24files@airmail.cc' Ransomware's ransom note.

Protecting Your Data from Threats Like the 'online24files@airmail.cc' Ransomware

The best protection against threats like the 'online24files@airmail.cc' Ransomware is to have file backups stored in a safe location. Apart from file backups, any user should also have a reliable security utility that is fully up-to-date to intercept threats like the 'online24files@airmail.cc' Ransomware before they carry out their attacks. Having file backups ensures that computer users can restore their files after an attack. This is especially important because the 'online24files@airmail.cc' Ransomware uses an encryption method that is quite strong and it is not possible to recover the data compromised by its attack currently.

Update December 4th, 2018 — 'server.recover@mail.ru' Ransomware

The 'server.recover@mail.ru' Ransomware is a variant of the Scarab Ransomware that was noticed in the wild at the first week of December 2018. As you may be aware, threat actors maintain a Scarab Ransomware builder, which they lease to third parties who build and distribute custom variants. The 'server.recover@mail.ru' Ransomware is deployed to potential victims via spam emails and corrupted DOCX files. PC users that may experience the 'server.recover@mail.ru' Ransomware are likely to notice that the threat appends the '.danger' suffix to the filenames. The 'server.recover@mail.ru' Ransomware renames the encrypted content and overwrites targeted data containers. For example, 'Bank Holding Company Act of 1956.pdf' is renamed to 'Bank Holding Company Act of 1956.pdf.danger.' The Trojan at hand is no different from other Scarab variants in terms of behavior, deployment and structure. However, this variant comes with a slightly altered ransom note that has the standard name 'HOW TO RECOVER ENCRYPTED FILES.TXT.' The message inside 'HOW TO RECOVER ENCRYPTED FILES.TXT' reads:

'Your All files encrypted!
Your personal identifier:
[random characters]
Your ip Adres : [the machine's IP address]
mail send woth your ip adres
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: server.recover@mail.ru'

The threat actor behind the 'server.recover@mail.ru' Ransomware made sure to enable the self-destruct option in the Scarab Ransomware builder. Hence, there is no way to recover the encrypted content without using data backups, file hosting services, and the System Recovery images. It is recommended to protect your data from cyber-threats like the 'server.recover@mail.ru' Ransomware by installing a reliable backup manager and keeping your backup storage disconnected.

Update December 12th, 2018 — Scarab-Crypted034 Ransomware

The Scarab-Crypted034 Ransomware is an encryption ransomware Trojan that is part of the Scarab family of malware, a large family of threats that includes numerous variants released in 2018. The Scarab-Crypted034 Ransomware was first observed on December 12, 2018, and is virtually identical to the other variants of Scarab that have been observed in the last year. The Scarab-Crypted034 Ransomware can be identified easily because the files encrypted by its attack are marked with the file extension '.crypted034.'

Another Member of the Scarab Family is Tormenting PC Users

The Scarab-Crypted034 Ransomware, like most encryption ransomware Trojans, is designed to use the AES encryption to make the victim's files inaccessible. The Scarab-Crypted034 Ransomware delivers a ransom note once the victim's files have been encrypted. This ransom note is presented as a text file named 'HOW TO RECOVER ENCRYPTED FILES.txt,' which contains the following text:

'Your files are now encrypted!
Your personal identifier:
[random characters]

All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Contact us using this email address: xcv786@mail.ee (xcv786@india.com, xcv786@tutanota.com)
If you don't get a reply or if the email dies, then contact us using Bitmessage.
Download it form here: https://github.com/Bitmessage/PyBitmessage/releases
Run it, click New Identity and then send us a message at BM-2cVX9BfFbwjVZSi9jMPY22F6aeKMTny46y

Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).'

Threats in the Scarab family of ransomware target the user-generated files in these attacks, which may include numerous documents, media files, configuration files and databases. The files that threats like the Scarab-Crypted034 Ransomware will target in these attacks include:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

Protecting Your Data from Threats Like the Scarab-Crypted034 Ransomware

To protect your data from threats like the Scarab-Crypted034 Ransomware, PC security researchers strongly recommend having backup copies of all data. The backed up data should be stored on external devices so that the threat will not be able to reach it. Apart from file backups, PC security researchers also recommend that computer users have a malware removal program that is fully up to date and capable of detecting and removing threats like the Scarab-Crypted034 Ransomware.

Update December 13th, 2018 — Scarab-Ironhead Ransomware

The Scarab-Ironhead Ransomware Trojan is classified as a relatively small update to the Scarab Ransomware that was spread among users via spam emails and fake software updates. As stated above, the Scarab Ransomware is operated as a development platform that enables threat actors to produce their variant of the original malware and distribute it. The Scarab-Ironhead Ransomware is named after the extension chosen by its distributor — '.ironhead.' The extensions associated with the Scarab line of Trojans are interpreted as a brand that distributors employ to mark the data encrypted by their variant of Scarab. For example, the Scarab-Ironhead Ransomware is programmed to rename 'Sample.txt' to 'Sample.txt.ironhead' and leave a standard Scarab ransom note. The ransom message is saved as 'How to restore encrypted files.txt' to the desktop and reads:

'Your files are now encrypted!

Your personal identifier:
[random characters]

All your files have been encrypted due to a security problem with your PC.

Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Contact us using this email address: fileisafe@tuta.io or fileisafe@protonmail.com'

The text provided above is only an excerpt and includes the noticeable changes made by this particular distributor. As a rule, Scarab’s messages include a short guide on how to buy Bitcoins from Localbitcoins.com and Coindesk.com. Also, the affected users are warned not use third-party decryptors as they will damage their data. The last part is verified, but you should be fine using backup images and the System Recovery disks that would allow you to return the original data to your memory drives. We encourage users to use backup managers and file hosting services as a way to counter cyber-threats like the Scarab-Ironhead Ransomware. Do not write to 'fileisafe@tuta.io' and 'fileisafe@protonmail.com;' instead, run a complete system scan and remove the threats that may be picked up.

Update December 19th, 2018 — 'aztecdecrypt@protonmail.com' Ransomware

Another new threat called the 'aztecdecrypt@protonmail.com' Ransomware, which belongs to the prolific Scarab Ransomware family has been detected in the wild. We have been following the expansion of the Scarab family ever since it was first offered as a RaaS (Ransomware-as-a-Service). In just a small number of months, due to this business model, a multitude of Scarab variants have seen the light of day in rapid succession.

The differences between them have been minimal, and it is the same with the 'aztecdecrypt@protonmail.com' Ransomware. This time all the encrypted files will have their extensions changed to ‘.aztecdecrypt@protonmail[.]com.’ The ransom note will be dropped in a text file named ‘HOW TO DECRYPT FILES.TXT.’ The text of the ransom note is:

’All your files have been encrypted due to a security problem with your PC.

Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write us.
After payment we will send you the decryption tool that will decrypt all your files.

Contact us using this email address: aztecdecrrypt@protonmail.com or aztecdecryptor@mailfence.com
If you don't get a reply or if the email dies, then contact us using Bitmessage.

Free decryption as guarantee:
Before paying you can send us 1 files for free decryption.
The total size of file must be less than 10Mb (non archived), and file should not contain valuable information (databases, backups, large excel sheets, etc.’)

The ransom note also contains a personal identifier that each affected user should send in the email to the cybercriminals to receive the correct decryption key.

However, it is not recommended contacting the criminals in any way or giving them any money. By meeting their demands, you will simply encourage the creation of additional ransomware variants. Not to mention that there are absolutely no guarantees that even after paying the requested Bitcoin amount, you will receive the required decryption key. The best course of action is to use a legitimate anti-malware software to remove this Scarab variant and restore the affected files from a backup.

Update December 20th, 2018 — 'rapid.supp@qq.com' Ransomware

The 'rapid.supp@qq.com' Ransomware is a file cryptor Trojan that is classified as a new variant of the Scarab Ransomware. This new cyber threat emerged on December 20th, 2018 and conformed to the standard Scarab threat we have been tracking for the last two years. The 'rapid.supp@qq.com' Ransomware is perceived as a minor update considering that it uses a standard ransom note and the same encryption technologies as older variants. In addition, the 'rapid.supp@qq.com' Ransomware is distributed via spam emails primarily as of the time of writing this update. The threat is reported to encipher images, audio, video, databases and text forcing users to apply a decryptor to the affected data.

The 'rapid.supp@qq.com' Ransomware is programmed to attach the '.rap' suffix to the filenames and drop a ransom message titled 'HOW TO RECOVER ENCRYPTED FILES.TXT' to the desktop. For example, 'Baia do Sancho Beach-Brazil.png' is renamed to 'Baia do Sancho Beach-Brazil.png.rap' and its icon would look like a white sheet of paper as opposed to an ordinary PNG file. The Scarab Ransomware platform is used by threat actors widely, and it appears that the people behind this new variant are using the 'rapid.supp@qq.com' email account for negotiating payments with their victims. There is no ransom amount listed in the 'HOW TO RECOVER ENCRYPTED FILES.TXT' and the latest Scarab-based Trojans direct users to reach out to the threat operators via email. It is believed that the ransomware operators are profiling each victim by using lists of encrypted files and general conversation regarding the decryption service they offer. Computer security experts encourage the users to avoid contact with the 'rapid.supp@qq.com' Ransomware team and use data backups as available.

Update December 28th, 2018 — Scarab-nano Ransomware

The Scarab-nano Ransomware is a lackluster update to the Scarab Ransomware line of cyber-threats. The Scarab-nano Ransomware performs identically to Trojans in the same family that had been released earlier. There are only two notable differences in the Trojan at hand. The first being the use of the '.nano' extension and the second is the introduction of the 'private-key@foxmail.com' email account for contact with potential victims. The Scarab-nano Ransomware supports the same ciphers as the 'rapid.supp@qq.com' Ransomware and the 'aztecdecrypt@protonmail.com' Ransomware that emerged earlier. The Scarab-nano Ransomware is known to encipher data on local and removable memory devices regardless of their type (SSD or HDD). The threat removes the System Restore points and the Shadow Volume snapshots found on infected hosts before it proceeds to overwrite targeted data. As the name suggests, the Scarab-nano Ransomware adds the '.nano' suffix to filenames. For example, 'Sabathon-Carolus Rex.mp3' is renamed to 'Sabathon-Carolus Rex.mp3.nano.' The ransom alert is presented as a simple text file called 'RECOVER ENCRYPTED FILES.txt' that offers a typical Scarab notification:

'All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: private-key@foxmail.com'

The notification produced by the Scarab-nano Ransomware may include instructions not to rename encrypted objects and not to contact AV companies for help. We suggest removing the Scarab-nano Ransomware using a respected anti-malware utility and booting data backups as opposed to paying money to the cybercriminals. The Scarab Ransomware family has many variants since it is developed as a malware builder. You should take steps to limit the impact of potential ransomware attacks by installing a backup manager on your device and avoid emails that may direct you to open potentially corrupted documents.

Update January 12th, 2019 — Scarab-krab Ransomware

The Scarab-krab Ransomware is a customized version of the Scarab Ransomware Trojan that came out on January 12th, 2019. The Scarab-krab Ransomware features minor changes compared to the version listed above. The Scarab-krab Ransomware is known to be used in attacks on small businesses that use poorly protected remote desktop accounts and outdated software infrastructure. The Scarab-krab Ransomware is reported to encipher images, audio, video, databases, and office documents saved to the local memory storage. Computer security researchers alert that the Scarab-krab Ransomware removes the System Restore points and the Shadow Volume snapshots on the infected devices, thus, making the recovery possible only through the use of third-party backup solutions. The encrypted files receive the '.[[crab1917@gmx.de]].krab' extension and something like 'The Isley Brothers-It's Your Thing.mp3' is renamed to 'The Isley Brothers-It's Your Thing.mp3.[[crab1917@gmx.de]].krab.' The ransom message is presented as '!!! RETURN YOUR FILES !!!.TXT' and reads:

'Hello Friend!
All your files are encrypted...
Your personal identifier:
[random characters]
For instructions for decrypting files, please write here:
crab1917@gmx.de
crab1917@protonmail.com
Be sure to include your identifier in the letter!
If you have not received and answer, write to me again!!'

The Scarab-krab Ransomware behaves identically to many other Scarab variants and can be countered by a good backup policy. It is recommended that users and server administrators employ a credible backup service. You should export your data backups to memory storage that is not connected to your primary system at all times. Do not write to 'crab1917@gmx.de' and 'crab1917@protonmail.com;' instead, clean the affected machine using a trusted anti-malware product.

Update January 14th, 2019 — Scarab-Zzz Ransomware

The Scarab-Zzz Ransomware is a generic version of the Scarab Ransomware that received attention on January 14th, 2019 for the first time. The threat is distributed via spam emails and corrupted Microsoft Word documents. The Scarab-Zzz Ransomware features small modifications compared to the main cyber-threat that translates into small differences in the cyber attack. The Scarab-Zzz Ransomware Trojan uses almost the same rename pattern, and it uses almost identical ransom note compared to versions we have reported earlier. The rename pattern is described as . and something like 'Stoneywood paper mill.docx' is renamed to 'U3RvbmV5d29vZCBwYXBlciBtaWxsLmRvY3gNCg==.zzzzzzzz.' The Scarab-Zzz Ransomware encodes the same range of data formats as other Scarab versions, and users lose access to photos, audio, video, databases and text. The threat actors appear to use the 'rohitramses@protonmail.com' and the 'rohitramses@tutanota.com' email accounts for reaching out to victims. In addition, the threat actors may be reached through the BitMessage platform and payment is accepted in both Bitcoin and Dashcoin. The ransom note is packed as 'HOW TO RECOVER ENCRYPTED FILES.TXT' and the main body reads:

'---= ^_^ Your files are now encrypted!! ^_^ =---
Attention!
All your files, documents, photos, databases and other important files are encrypted
The only method of recovering files is to purchase an unique private decryptor. Only we can give you this decryptor and only we can recover your files.
IN ORDER TO PREVENT DATA DAMAGE:
*DO NOT MODIFY ENCRYPTED FILES
*DO NOT CHANGE DATA BELOW
*Do not rename encrypted files.
*Do not try to decrypt your data using third party software, it may cause permanent data loss.
*Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Now you should send us email with your key identifier and version.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins or Dash. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
If the payment isn't made with in 5 days the cost of decrypting files will be doubled
We can give you free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 100kb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).
You can contact us in these email address:
----- rohitramses@protonmail.com ---or--- rohitramses@tutanota.com ------
If you don't get a reply or if the email dies, then contact us using Bitmessage.
Download it form here: h[tt]ps://bitmessage[.]org/wiki/Main_Page
Run it, click New Identity and then send us a message at BM-2cSzfawmdGKeT8ny99qtMeiGb27TcVBJXz'

Update January 29th, 2019 — Scarab-Joke Ransomware

The Scarab-Joke Ransomware is a generic variant of the Scarab Ransomware that was reported on January 28th, 2019. The Scarab-Joke Ransomware is produced using the Scarab Ransomware Builder that is maintained as a service for third-parties. The Scarab-Joke Ransomware features small modifications compared to other variants in the same threat family. The Scarab-Joke Ransomware may connect to the same command servers as other Scarab variants, but the Trojan is distributed from different IP addresses and email accounts. The Scarab-Joke Ransomware is named after the file marker it places on encrypted files. Threats like the one at hand are difficult to name considering that there are no significant changes to the corrupted code. The threat distributors made superficial changes only. For example, 'Deuce-Nightmare.mp3' is renamed by the Trojan to 'Deuce-Nightmare.mp3.joke' and the typical ransom note — 'HOW TO RECOVER ENCRYPTED FILES.txt' is saved to the desktop.

However, the Scarab-Joke Ransomware directs the affected users to contact a new set of email accounts if they are interested in acquiring a decryptor. The threat actors are using the 'projectjoke@india.com' and the 'projectJoke@aol.com' email accounts, judging by user reports. It is not a good idea to contact the ransomware operators as you may be directed to transfer hundreds of dollars worth of Bitcoin to the wallet of the cybercriminals. Instead, you can load data backups and restore your files to normal by using clean copies. The removal of the Scarab-Joke Ransomware should be carried out using a reliable computer security instrument.

Update February 7th, 2019 — Scarab-nosafe Ransomware

The Scarab-nosafe Ransomware is a ransomware threat that has been discovered by malware experts recently. This new threat is a part of the Scarab Ransomware family, which rose to prominence in the past few years and caused headaches to people all around the globe. As any other ransomware threat, the Scarab-nosafe Ransomware's mission is to get into your PC, encrypt your data, and hold your files hostage until you pay a ransom fee, which more often than not is an ungodly sum.

The Scarab-nosafe Ransomware is most likely being propagated via spam email campaigns where the fraudulent emails would contain a seemingly harmless attachment, but it may execute a macro script, which is able to unpack and execute the ransomware in the background silently. When the Scarab-nosafe Ransomware has snuck into your computer, it will begin to lock your data. When a file has been encrypted, the Scarab-nosafe Ransomware applies a '.nosafe' extension to its name so that if you had a song called 'yellow.mp3' after encryption, it would look like this – 'yellow.mp3.nosafe.'

The Scarab-nosafe Ransomware drops a ransom note named 'HOW TO RECOVER ENCRYPTED FILES.txt.' In the note, the creators of the Scarab-nosafe Ransomware do not mention the exact sum demanded in exchange for the decryption key, but it is safe to assume that it will not be cheap. Like most cybercriminals, the authors of this pest prefer to do their 'business' via Bitcoin because it is far less likely to be traced and it is almost impossible that they will face any consequences. It also is mentioned the email addresses where you could get in touch with them – nosafe@india.com and nosafe@airmail.cc.

Unfortunately, malware researchers have not yet developed a decryption tool for the Scarab-nosafe Ransomware so that the free decryption of your data may not be possible. If you happen to have backups of your files then you are worry free – you can reverse the damage and restore the data. However, if you do not, things get a little trickier. Your only chance then is a 3rd party file-recovery application, which is unlikely to be capable of restoring all the locked data but, hey, some of the files is better than none, right?

In any case, the best advice we can give you is to download and install a reputable anti-spyware application, which would locate the Scarab-nosafe Ransomware and clear your system leaving no trace of this pest.

Technical Information

File System Details

Scarab Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 osk.exe 512,000 cc74e57fa7575573e12255a4ef6d77e3 19
2 C:\Users\user\AppData\Roaming\Microsoft\file.exe 47,104 0d4e6b84863d2a93542b6e24b6a61d5a 15
3 %SystemDrive%\Users\jkh\AppData\Roaming\sevnz.exe 262,656 331f8b1153eeb461eb10d7a71bbbd763 1
4 f08ef840f59cbd4c4695e36ef3eaa9d7 143,360 f08ef840f59cbd4c4695e36ef3eaa9d7 1
5 bb41f0323bc51d479f1ae4a36321ad0f 423,936 bb41f0323bc51d479f1ae4a36321ad0f 0
More files

Registry Details

Scarab Ransomware creates the following registry entry or registry entries:
Regexp file mask
%APPDATA%\bwint.exe
%APPDATA%\Microsoft\wxmon.exe
%APPDATA%\sevnz.exe

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.