Scarab-Red Ransomware

The Scarab-Red Ransomware is an encryption ransomware Trojan in the Scarab family. Ransomware in this family has been released since March 2018 steadily, and it seems that this may be related to the use of a ransomware builder and possibly a Ransomware as a Service platform associated with this threat. The Scarab-Red Ransomware variant was first observed in early July 2018. The main way in which the Scarab-Red Ransomware is delivered to its victims is through a corrupted text file containing embedded macro scripts that download and install the Scarab-Red Ransomware onto the victim's computer. The Scarab-Red Ransomware is nearly identical to many other Scarab variants that have been released in the months prior to the Scarab-Red Ransomware's release.

The Scarab Family Now Have a Red Member

There is nothing to differentiate the Scarab-Red Ransomware from the various other variants in this family of ransomware. The Scarab-Red Ransomware will use the AES 256 encryption to make the victim's files inaccessible, encrypting a wide variety of file types, including numerous media files, databases and document types. Once the Scarab-Red Ransomware is done with the files encryption, the files will become inaccessible without the decryption key, which the criminals hold in their possession. The following are examples of the files that threats like the Scarab-Red Ransomware will target in these attacks:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The Scarab-Red Ransomware will add the file extension '.red' to each affected file and encipher their names using the base64, a feature incorporated into the Scarab variants later in their life cycle and not present in the earliest variants of this threat. The Scarab-Red Ransomware also will delete other alternate recovery methods, which may include the System Restore points and the Shadow Volume Copies of the affected files, apart from encrypting the victim's files. Unfortunately, once the Scarab-Red Ransomware's encryption is done, the damaged files will not be recoverable without the decryption key.

The Scarab-Red Ransomware’s Ransom Note

The Scarab-Red Ransomware delivers its ransom note in a text file named 'HOW TO RECOVER ENCRYPTED FILES.TXT.' The Scarab-Red Ransomware ransom note contains the following text:

'Hello!
All your files have been encrypted!
Don;'t worry, you can return all your files!
Your ID:
[random characters]
If you want restore files write on email:
BM-2cTzz6rwtd8d7qd1wVegH6sZ44GbNPV8Li@bitmessage.ch
decry1@cock.li and decry2@cock.li'

Although the Scarab-Red Ransomware's ransom note suggests that the victims should contact the criminals via email, PC security researchers strongly advise against doing this. Typically, the victim will be asked to pay hundreds of dollars using Bitcoin with no guarantee that the criminals will restore the affected files. In most cases, the criminals will target the victim for additional attacks since they have demonstrated a willingness to pay and vulnerability to one attack.

Protecting Your Data from Threats Like the Scarab-Red Ransomware

The best protection against threats like the Scarab-Red Ransomware is to have file backups stored on the cloud or an external memory device. Having file backups means that computer users can restore their files quickly without having to interact with the criminals responsible for the Scarab-Red Ransomware attack. A security solution that is fully up-to-date should be used to protect your computer preemptively as well.