SCARAB – The Latest Ransomware Threat

A new strain of ransomware — SCARAB — began hitting millions of inboxes last week; make sure your business knows how to protect against it.

Ransomware is now a household name, and there’s no going back. Even though cybercriminals have been using ransomware for years now, it wasn’t until the global Wanna Cry ransomware attack earlier this year that awareness reached critical mass – but that was just the beginning.

The latest development in the ever-evolving series of ransomware attacks uses the internet’s largest email spam botnet to propagate a relatively new ransomware known as “SCARAB”. This strain works similarly to the “Jaff” ransomware, relying on the now infamous Necurs botnet to reach millions of potential targets.

This threat was first detected by Forcepoint Security Labs as a part of a malicious email campaign that arrived in target inboxes on November 23^rd at 7:30 AM UCT. From the time of the first detected email and over the following 4 hours, Forcepoint observed an increase in SCARAB emails from just under 100,000 separate incidents to nearly 350,000. At its peak, the SCARAB ransomware campaign was sending more than two million emails per hour. A vast majority of the emails carrying SCARAB are targeting .com addresses, followed by various European domains.

Identifying SCARAB – Look Out For This Email Subject Line

Ransomware emails sent by Necurs carrying SCARAB have the subject, “Scanned from {printer company name}”, a phishing ruse similar to those employed by cybercriminals involved in the Locky ransomware campaign. The includes a .zip file that is assumed to be a scanned document or image file but actually contains a VBScript downloader.

Once executed, SCARAB drops a copy of itself, creates a registry entry as an autostart mechanism, and encrypts files using a “.scarab” extension. The ransom note is then placed in every affected directory, named “WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS. TXT”.

Contradictory to other major ransomware campaigns, SCARAB does not necessarily state a specific monetary amount for the ransom, instead of saying, “the price depends on how fast you write to us”. Payment can be made through an email address, or through an alternative BitMessage contact mechanism.

What Can You Do To Protect Your Business From SCARAB?

As with any strain of ransomware, there are a few key steps you and your employees can take to protect your business:

• Be suspicious of emails and attachments from people or companies that you don’t do business with, as most ransomware infections arrive via infected word/xls/zip/exe files.
• Backup your data on-site and off-site, and test your backups regularly.
• Create a plan for getting infected, and regularly test your plan.
• Consult with trusted cybersecurity and IT professionals.

Remember – you don’t have to do this alone. Dynamic Quest will help you set up robust backup solutions, develop cybersecurity response strategies, and help you protect against threats like SCARAB ransomware.

For more information about SCARAB and how to protect against it, contact Dynamic Quest!