Scarab-Rent Ransomware
The Scarab-Rent Ransomware is another version of the Scarab Ransomware to appear in August 2018. The malware features slight changes in its encryption routine, new 'Command and Control' servers and a new email account for contact with the infected users — 'diven@cock.li.' The Scarab-Rent Ransomware is distributed to users via phishing emails that may look like job applications and package delivery reports. PC users are advised to avoid spam emails and check if they have disabled macros in their office suite to limit exposure to threats like the Scarab-Rent Ransomware.
The team behind the Trojan has been abusing macros to gain access to remote computers, encrypt the saved data and welcome the users to buy a decryptor for hundreds of dollars. As its name suggests, the Scarab-Rent Ransomware encodes the targeted files and adds the '.rent' suffix to the filenames. Affected users are unable to open images, text, databases, PDFs, audio plays and video records. For example, 'Life of Boris.mp4' is renamed to 'Life of Boris.mp4.rent.' The ransom note is presented in 'Инструкция по расшифровке файлов Rent.TXT' (Instruction for decoding files.txt) that features text in Russian. The malware operators might respond to emails sent to 'diven@cock.li' and direct users to a TOR-based payment portal.
Computer security experts alert that complying with the terms in the 'Инструкция по расшифровке файлов Rent.TXT' is not a good idea. The people compromised with the Scarab-Rent Ransomware may be tricked, and they may not receive a decryptor. There are a few reliable ways to recover your data, which include booting backup images, the System Recovery disks and using services like Microsoft's OneDrive. You can clean leftover files from the Scarab-Rent Ransomware by running a complete system scan with a respected anti-malware solution.
The ransom note dropped by the Scarab-Rent Ransomware reads:
'Write to mail - diven@cock.li
YOUR FILES ARE STRIKED!
Your personal identifier
[random characters]
Your documents, photos, databases and other important files have been encrypted.
Every 24 hours 24 files are deleted, you need to send your ID so that we disable this function.
Every 24 hours the cost of decrypting data is increased by 30% (after 72 hours the amount is fixed)
To decrypt the data:
Write to mail - diven@cock.li
* In the letter, enter your personal identifier
* Attach 2 files to 1 mb for test decryption.
we decipher them, as evidence that ONLY WE can decipher them.
- The faster you tell us your ID, the faster we turn off arbitrary deletion of files.
-Writing to us on the mail you will receive further instructions on payment.
In the reply letter you will receive a program for decryption.
After starting the decryption program, all your files will be restored.
Attention!
* Do not attempt to uninstall the program or run antivirus software
* Attempts to self-decrypt files will result in the loss of your data
* Decoders of other users are incompatible with your data, as each user
unique encryption key
* Do not try to find a solution on the side, it's a 100% divorce. Nobody except us can decipher.
If I can not connect through the mail, I can not
* Register on the site hxxp://bitmsg[.]me (online delivery service Bitmessage)
* Write a letter to the address BM-2cXv1tCz4mRNE52UyDZ7DWDdvfUf5ed6GB with your email and
personal identifier
Your personal identifier
[random characters]'
