Necurs pushes spam emails infected with Scarab ransomware

Necurs sends over 10 million spam emails infected with Scarab ransomware

According to the latest reports, an infamous Necurs botnet is still active. This time, the most significant spam botnet is used to spread Scarab ransomware.^[1] It is believed that Necurs has already sent over 12 million emails filled with an infected attachment.

The main target countries are:

• USA;
• Australia;
• UK;
• France;
• Germany.

However, even if you don’t live in these countries, you must be very careful with every email sent to you by an unknown sender. Otherwise, you can download a virus that encrypts your files and asks you to pay a ransom in exchange for a decryption key.

The subject line used to trick unaware PC users into downloading an infected attachment is written using business-related vocabulary. The name of the attachment claims: “Scanned from [printer company name]” and may include such names as Cannon, Epson or HP.^[2] However, beware that the name of the attachment, the subject line, and similar details can be changed by hackers in the nearest future.

It’s not the first time Necurs is used to spread ransomware

When it was discovered in 2012, Necurs botnet was reported to spread Dridex banking trojan. This time, it was found in over 83,000 infections.^[3] However, several years later it returned with the massive spam campaign pushing an infamous Locky ransomware with the help of millions of messages.

Last year this botnet was also found spreading Jaff and GlobeImposter ransomware viruses, so there is no surprise that today it is used to promote Scarab. It is believed that the botnet is composed of 5 – 6 million bots, so there is a great danger that its latest campaign will cause serious losses to companies and PC users.

Scarab ransomware. Main facts

Scarab ransomware is an average crypto-virus which can hardly be compared to Locky.^[4] However, it can encrypt victim's files and swindle the money in the form of ransom. An interesting fact is that before asking the money, it offers decrypting three files to prove that its decryption service is available.

Once files are ruined, new extensions called “.scarab” and “.scorpio” are added to each of them. All instructions related to files decryption are written in “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” document which is saved in every folder that was attacked by the virus.

At this time, the ransom fee asked by ransomware still varies. However, even if you were asked a small amount, don't be naive and send your money to hackers.

Protecting yourself from attack

As we have already mentioned, you must be especially careful with spam email messages that are written in the business-related language. They can present themselves as invoices, bills, business reports, important voice messages or payment receipts.

If you don't know the sender or if the message looks suspicious, you shouldn't even bother with opening it. If you still believe that someone is trying to send you an important business report, you can always contact the sender to get more details about the attachment.

Finally, don't forget about backups and anti-virus software. Using backups of your important data is the main way to avoid paying a ransom because you can recover your files with their help. In the meanwhile, antivirus, which is up-to-date, can prevent ransomware from infiltrating your computer.