Necrus botnet started distributing Scarab ransomware

by Lucia Danes - - 2017-11-24

Scarab is updated again and spreads via Necrus botnet

Necrus botnet pushes Scarab ransomware

Security experts warn that it’s time to update your backups and be careful with received emails. The popular malspam botnet Necrus started spreading Scarab^[1] ransomware virus. According to the latest data, the botnet already sent about 12.5 infected emails.

Scarab has been noticed in June 2017 for the first time appending .scarab file extension to the files. Later it was updated and started using .scorpio suffix to make files inaccessible. The recently detected distribution campaign seems to spread a third updated version of the ransomware.

The latter version appends .[suupport@protonmail.com].scarab file extension to prevent users from opening their files. In order to prevent users from using third-party recovery tools, the virus also deletes Shadow Volume Copies and other default Windows recovery features.

Once files are damaged, the virus downloads and opens a ransom note called IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT. However, this threatening message does not reveal the size of the ransom. Victims are supposed to contact criminals via provided email address – suupport@protonmail.com – as soon as possible because the size of the payment depends on contacting speed.

Infected emails include scanned documents

The beginning of Scarab distribution was recorded on the 23rd of November. The campaigns mostly targeted the United Kingdom, Australia, France, and Germany.^[2]

Cyber criminals are good in social engineering and know all the tricks to convince people into opening a malicious attachment. Currently, Scarab’s payload is included into the emails with fake images of scanned documents and have these subject lines:

Scanned from Lexmark,
Scanned from Epson,
Scanned from HP,
Scanned from Canon.

However, users are advised to be cautious because criminals might use different titles for the malicious emails. The spoofed sender’s name follows this scheme: copier@precipient’s email domain. Additionally, the dangerous email also include 7Zip file, which is named as image2017-11-23-[random digits].7z^[3] (the date of the image might change too).

The archive includes a malicious Visual Basic script that downloads malware to %Application Data%\\sevnz.exe directory and starts execution.

Necrus actively pushes file-encrypting viruses this year

Nevertheless, Necrus botnet went offline in June 2016; its activity came back to normal. However, this year the botnet was very active. Scarab is the fourth malspam campaign that it is being distributed this year. It was spreading the infamous Locky,^[4] Jaff, Globe Imposter and Trickbot^[5] banking trojan.

Internet users are advised to stay away from emails that look suspicious. If you did not expect to receive a scanned document, do not open it no matter how curious you might be. Additionally, you should not open any documents or other files if you do not know the sender, the letter is full of mistakes, and you did not expect to receive such email at all.

About the author

Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions

References

^ Julie Splinters. Scarab ransomware virus. How to remove? (Uninstall guide). 2-spyware. Security and spyware news.
^ Ben Gibney and Roland Dela Paz. Massive Email Campaign Spreads Scarab Ransomware. Forcepoint blogs. News, views and insights for security professionals to defend against cyber attacks and data theft.
^ Necrus Botnet Malspam pushes "Scarab" ransomware. Malware Traffic Analysis. Focuses on network traffic related to malware infection.
^ Ugnius Kiguolis. Locky has become the most dangerous ransomware in the world. No Virus. Latest security news from British research team.
^ Michael Mimoso. Spam Domains Imitating Popular Banks Spreading Trickbot Banking Trojan. Threatpost. Security news.