Threat Database Ransomware Scrabber Ransomware

Scrabber Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 7
First Seen: October 17, 2018
Last Seen: July 23, 2019
OS(es) Affected: Windows

The Scrabber Ransomware is an encryption ransomware Trojan based on HiddenTear, an open source ransomware platform that has been accountable for countless variants of these threats. The Scrabber Ransomware is commonly delivered to victims via spam email attachments. The Scrabber Ransomware is designed to take the victim's data hostage and demand a ransom payment in exchange for the return of the data that was made inaccessible.

How You will Know that the Scrabber Ransomware is on Your Machine

There is very little to differentiate the Scrabber Ransomware from the many other encryption ransomware Trojans in action, particularly the many variants of HiddenTear. The Scrabber Ransomware, like the many other, similar threats, uses the AES encryption to encrypt the victim's files, targeting the user-generated files, such as those with the following extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

Each file the Scrabber Ransomware encrypts is marked with the file extension '.junked,' which will be added to the files' names.

The Scrabber Ransomware's Ransom Demand

The Scrabber Ransomware delivers a ransom note in a text file named 'ПРОЧИТАЙ БЛЯТ!.txt' ('READ DAMN IT!.txt'), which is dropped on the infected computer's desktop. The Scrabber Ransomware also changes the infected computer's desktop image. This ransom note contains the following text, written both in Russian and in English:

'All your files are encrypted in a secure AE5-256 encryption algorithm and now have a level of over-secrecy. Do not rush to close this the window because you won't see it again. Follow the instructions below, but do not rush because we have to tell two simple things:
1. we do not mosheniki not liars, we are behind You and will help with rasshifrovka Your precious files
2. Encryption is a reversible cryptographic action that changes the encoding of the file on its own (this is visible in here the characters but we the first paragraph will help you with deciphering) we operate on the principle: Encrypted and we give you the files for free, we do not need bitcoins received by exchange or long work with your mining.
Contact us at mail: decriptscrabber@mail.ru
If our main mail is blocked because of a complaint, we advise you to contact by mail: trinskertak.ru. Again, we repeat: do NOT CLOSE this window because YOU NO LONGER WILL SEE IT WHEN YOU REBOOT.
A successful decryption, oh yeah we forgot! To obtain the key, send the PC and user name to us, received enter the password and click on decryption.
To find out the list of encrypted files click on the button: -Encrypted files" Now successful accurately decoding!'

The Scrabber Ransomware also delivers a pop-up window with the following text:

'Scrabber Ransomware
Your documents, fotos, databases and etc.
has been encrypted.
please contact to post address:
trinskert@bk.ru'

PC security analysts strongly advise computer users not to pay the Scrabber Ransomware ransom or negotiate with the criminals responsible for the Scrabber Ransomware attack.

Trending

Most Viewed

Loading...