SCARAB – The Latest Ransomware Threat

A new strain of ransomware — SCARAB — began hitting millions of inboxes last week; make sure your business knows how to protect against it.

Scarab Ransomware

Ransomware is now a household name, and there’s no going back. Even though cybercriminals have been using ransomware for years now, it wasn’t until the global Wanna Cry ransomware attack earlier this year that awareness reached critical mass – but that was just the beginning.

The latest development in the ever-evolving series of ransomware attacks uses the internet’s largest email spam botnet to propagate a relatively new ransomware known as “SCARAB”. This strain works similarly to the “Jaff” ransomware, relying on the now infamous Necurs botnet to reach millions of potential targets.

This threat was first detected by Forcepoint Security Labs as a part of a malicious email campaign that arrived in target inboxes on November 23rd at 7:30 AM UCT. From the time of the first detected email and over the following 4 hours, Forcepoint observed an increase in SCARAB emails from just under 100,000 separate incidents to nearly 350,000. At its peak, the SCARAB ransomware campaign was sending more than two million emails per hour. A vast majority of the emails carrying SCARAB are targeting .com addresses, followed by various European domains.

Identifying SCARAB – Look Out For This Email Subject Line

Ransomware emails sent by Necurs carrying SCARAB have the subject, “Scanned from {printer company name}”, a phishing ruse similar to those employed by cybercriminals involved in the Locky ransomware campaign. The includes a .zip file that is assumed to be a scanned document or image file but actually contains a VBScript downloader.

Once executed, SCARAB drops a copy of itself, creates a registry entry as an autostart mechanism, and encrypts files using a “.scarab” extension. The ransom note is then placed in every affected directory, named “WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS. TXT”.

Contradictory to other major ransomware campaigns, SCARAB does not necessarily state a specific monetary amount for the ransom, instead of saying, “the price depends on how fast you write to us”. Payment can be made through an email address, or through an alternative BitMessage contact mechanism.

What Can You Do To Protect Your Business From SCARAB?

As with any strain of ransomware, there are a few key steps you and your employees can take to protect your business:

  • Be suspicious of emails and attachments from people or companies that you don’t do business with, as most ransomware infections arrive via infected word/xls/zip/exe files.
  • Backup your data on-site and off-site, and test your backups regularly.
  • Create a plan for getting infected, and regularly test your plan.
  • Consult with trusted cybersecurity and IT professionals.

Remember – you don’t have to do this alone. OffSite IT will help you set up robust backup solutions, develop cybersecurity response strategies, and help you protect against threats like SCARAB ransomware.

For more information about SCARAB and how to protect against it, contact the OffSite IT team at (866) 828--6674 or info@offsiteIT.com .

Alexssa

I first hired John directly as an employee back in 1999.
He was an excellent addition to a growing team at a small technology company. Subsequent to the sale of the company, John branched out on his own and started an IT consulting firm. Since that time, I have not used anyone else. John is capable, personable, has integrity and is also very likable. I would recommend him without reservation.”

  Kevin DiCerbo   

Connect With OffSite IT

  • Los Angeles / Orange County 22607 La Palma Avenue Suite 409 Yorba Linda, CA 92887
  • Chicago 6912 Main Street Suite 214 Downers Grove, IL 60516
  • 1-866-828_-6674 info@offsiteIT.com