Scarab-X3 Ransomware

The Scarab-X3 Ransomware is a generic encryption Trojan that is based on the Scarab Ransomware Builder. The Scarab-X3 Ransomware was identified by AV companies on February 18th, 2019. The Scarab-X3 Ransomware Trojan may infect devices through spam emails and macro-enabled documents. The Scarab-X3 Ransomware Trojan uses industry-standard encryption technologies to lock content on the compromised machines and suggest to users to buy a decryptor. The data affected by the Scarab-X3 Ransomware carries the '.X3' suffix, which is the basis for the threat name. For example, 'Johnson Bros. Roll Forming Co Offer.pptx' is renamed to 'Johnson Bros. Roll Forming Co Offer.pptx.X3' and it can't be read by software like Microsoft Powerpoint (or alternatives like LibreOffice Impress). The ransom note is slightly different compared to other Scarab-based variants, but it features the same name — 'HOW TO RECOVER ENCRYPTED FILES.TXT' and reads:

'All your files are encryped!
Your ID
[random characters]
Get a decoder:
glorypay@aol.com
glorypay@airmail.cc
The letter should contain "Decoder" theme (if you do not specify, you can get into spam).
You must send:
1) Personal identifier
2) Several text files or pictures.
(To test the decoder).
3) the total file size should not exceed 10 MB
If you try to recover the files yourself,
you will damage them and we will not be able to help you.'

The threat actors seem to operate the 'glorypay@aol.com' and the 'glorypay@airmail.cc' emails and use them to contact the first wave of compromised users. We are likely to receive reports of other emails related to the Scarab-X3 Ransomware after email services terminate 'glorypay@aol.com' and 'glorypay@airmail.cc' on their platforms. It is not a good idea to communicate with the Scarab-X3 Ransomware actors as you might be instructed to transfer hundreds of dollars worth of Bitcoin to a temporary wallet address and you may not receive a decoder. You might prefer to boot data backups and access archive files as a safer alternative.