Severity scale:  
  (97/100)

Remove Scarab ransomware / virus (Virus Removal Guide) - Jul 2020 update

removal by Julie Splinters - - | Type: Ransomware

Scarab ransomware – a dangerous file-encrypting virus distributed via Necurs since 2017

The picture illustrating Scarab malware

Scarab is a ransomware that employs sophisticated AES-256 and RSA-2048 algorithms to lock personal data on the targeted computer. As soon as it locks files, it marks them with a specific extension, such as .scarab, .langolier, and, later on, email-based appendixes like .btchelp@xmpp.jp  or .Ssimpotashka@gmail.com. However, you can also become a victim of Scarab-Recovery, Scarab-Turkish, Scarab-Barracuda, .anonimus.mr@yahoo.com, and numerous other versions.

After the data locking process, the Scarab virus drops a ransom note demanding from $300 to $500 in exchange for the key that can unlock encrypted data. The name of dropped ransom notes also varies depending on the version – HOW TO RECOVER ENCRYPTED FILES.TXT, IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT, and a few others, were used.

Scarab ransomware was spotted for the first time in June 2017 and had been reappearing with new versions since then. According to the latest research, it could be hailing from Animus ransomware developers, as it has been using the same email address for quite some time now. Sadly, only versions released prior to June 2018 can be decrypted, as new Scarab ransomware variants use an improved RSA encryption method.

Questions about Scarab ransomware virus

According to ransomware researchers, the ransomware is actively creating a collection of Scarab 2020. Since the beginning of this year, .rbs, .ncov, .DecSec, .worcservice@protonmail.ch, .inc_evilsi@protonmail.chand, .cov19, .bomba versions already emerged. The last one has been spotted in the middle of May leveraging the COVID-19 theme as a marker extension for encrypted files. At the moment, criminals are using the FushenKingdee@protonmail.com, madeinussr@protonmail.com, inc_evilsi@protonmail.ch, decoding_service@aol.com, worcservice@protonmail.ch, decoding_service@protonmail.com, logiteam@protonmail.com emails. Unfortunately, none of these versions can be decrypted. As pointed before, the available Scarab decryptor is capable of cracking variants launched before June 2018. 

SUMMARY
Name Scarab
Type Ransomware
might be related to Animu Locker
Versions Scorpio, Scarab-Amnesia, Scarab-Crypto, Scarab-Please, Scarab-Decrypts, Scarab-Horsia, Scarab-Walker, Scarab-Osk, DiskDoktor, Fastrecovery@airmail.cc ransomware, Scarab-Leen ransomware, Scarab-Bomber, Scarab-Good, Oneway, Danger, BtcKING, Recme, JungleSec, Dan ransomware, Deep ransomware, Scarab-Recovery, Scarab-Turkish, Scarab-Barracuda, Scarab-Anonimus, Scarab-zzzzzzzz, 
Danger level High. At the moment, the virus is especially active and keeps appearing with new versions
Cryptography AES-256; RSA-2048
File extensions .scarab, [email].scarab, [email].scorpio, [suupport@protonmail.com].scarab, .amnesia, .crypto, .please, .decrypts@airmail.cc, .red, .DD, .decryptsairmail.cc, .horsia@airmail.cc, .JohnnieWalker, .osk, .infovip@airmail.cc, .DiskDoctor, .fastrecovery@airmail.cc, .leen, .bomber, .recme, .oneway, .good., .deep, .BD.Recovery, .enter, .fast, .key, .[Firmabilgileri@bk.ru], .BARRACUDA, .anonimus.mr@yahoo.com, .zzzzzzzz, .{Help557@cock.li}.exe, .btchelp@xmpp.jp, .Ssimpotashka@gmail.com, .rbs, .ncov, .cov19, .DecSec, .worcservice @ protonmail.ch, .inc_evilsi @ protonmail.ch, .inchin, .bomba
Related files

IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_ PLEASE_READ_THIS.txt; HOW TO RECOVER ENCRYPTED FILES.TXT; TO RECOVER ENCRYPTED FILES-decrypts@airmail.cc.TXT; HOW TO DECRYPT WALKER INFO.txt; HOW TO RECOVER ENCRYPTED FILES-infovip@airmail.cc.TXT; HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT; Recover files-xmail@cock.li.TXT; INSTRUCTIONS FOR RESTORING FILES.TXT, HOW TO RECOVER – btchelp@xmpp.jp ENCRYPTED FILES.TXT, TO RECOVER.TXT

Language translated English, Russian, Turkish
Distribution Necurs botnet, malicious email attachments, fake Java or Adobe Flash Player updates, corrupted remote desktop apps
Decryption Dr. Web announced that some of the files encrypted by Scarab can be decrypted. Users should send an email to emte@adc-soft.com with few examples of affected data together with the ransom note
ElIMINATION Manual removal is not possible. To get rid of ransomware and its variants, download a reputable anti-malware, such as SpyHunter 5Combo Cleaner or Malwarebytes, and run a full system scan
System fix Ransomware is a complex computer infection, and it can negatively impact its performance even after it is eliminated. As a result, users might experience crashes, lags, and other stability issues. To remediate Windows and avoid its reinstallation, run a scan with repair software Reimage Reimage Cleaner Intego

This ransomware[1] is not an ordinary crypto-virus – it was found to use Necurs botnet[2] to spread around. Having in mind that it is the largest spam botnet, the possibility to get infected with Scarab increases greatly. Luckily, the notorious botnet was majorly disrupted in March 2020, reducing malware infections worldwide. In addition, some variants are spread via fake Flash Player and use exploit kits to get into the affected machines all over the world. 

Right after the infiltration, the virus encrypts video, music, picture, document, and similar personal data by using symmetric and asymmetric encryption algorithms. You can find files encrypted by ransomware by looking at the appendix of your files. If they have .scarab file extension, .scorpio, .zzzzzzzz, and similar suffixes, they are encrypted and you won't be capable of using them. 

The picture displaying Scarab malware text file.
Scarab virus uses AES-256 cryptography for data encryption.

Scarab locks files and demands a ransom in exchange for the key 

Originally, the ransom note of the Scarab virus is using the Russian language, but its latest versions are using the note translated into English. Typically, it reads:

 *** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS ***
Your files are now encrypted!

—– BEGING PERSONAL IDENTIFIER ————-

—– END PERSONAL IDENTIFIER ——————

All your files have been encrypted due to a security problem with your PC.

Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Contact us using this email address: [email address]

Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).

[……]

To gain users' trust, the developers are offering free decryption of three files up to 1 MB in size. However, felons do not indicate the sum of the ransom but rather urge affected users to contact them as soon as possible since the deadline for the ransom payment ends after 72 hours.

Following these orders is not recommended. Cybercriminals cannot be trusted in any way, so after paying the ransom you may be left without both money and files. Security experts recommend victims remove Scarab ransomware instead of using a professional anti-malware tool, like Reimage Reimage Cleaner Intego or Malwarebytes.

Scarab scorpio file extension version
.scorpio file extension virus is an upgraded version of Scarab ransomware.

Once you complete the Scarab removal, you will be able to recover the biggest or even all of the encrypted files using third-party data recovery tools. You can find a comprehensive decryption tutorial at the end of this article. Alternatively, you can email a few encrypted files to Dr.Web (emte@adc-soft.com) and see if security experts can decrypt files for you.  

The ransom note of the virus is typically instructing the victim to provide the personal identifier and contact the felons via the provided email address. Updated variants of the Scarab virus have been using different email addresses for communication with victims. Some of the used emails are:

  • qa458@yandex.ru;
  • resque@plague.desi;
  • Help-Mails@Ya.Ru;
  • suupport@protonmail.com;
  • unlocking.guarantee@aol.com;
  • westlan@protonmail.ch;
  • anticrypto@protonmail.com;
  • decry1@cock.li;
  • decry2@cock.li;
  • decrypts@airmail.cc;
  • translatos@protonmail.com;
  • infovip@airmail.cc;
  • DiskDoctor@protonmail.com
  • fastrecovery@airmail.cc
  • xmail@cock.li
  • mr.leen@protonmail.com
  • bd.recovery@aol.com
  • firmabilgileri@bk.ru
  • barracuda@airmail.cc
  • ProjectJoke@aol.com
  • projectjoke@india.com
  • FushenKingdee@protonmail.com
  • madeinussr@protonmail.com
  • decoding_service@aol.com
  • decoding_service@protonmail.com
  • inc_evilsi@protonmail.ch
  • worcservice@protonmail.ch
  • logiteam@protonmail.com

Note that Scarab ransomware decryptor has not been yet created, so it is quite difficult to retrieve files back. However, in April 2018, Doctor Web announced[3] that some cases of ransomware can be decrypted. For that, victims should send the ransom note HOW TO RECOVER ENCRYPTED FILES – decrypts@airmail.cc.TXT and 3-4 encrypted files to the email emte@adc-soft.com. If infected with any of these versions, try this method for files' decryption. If it does not work for you, jump to the end of this post to use other methods for data recovery. However, make sure you remove Scarab ransomware before this procedure. 

Scarab virus proliferation in 2018
Cybercriminals continue to upgrade Scarab virus and infect computers worldwide.

The list of Scarab variants

Scarab ransomware has been appearing with new versions since last year. Recently, it came to researchers' attention as the malware that receives updates pretty much each month. At the moment, there are twenty different members of this money extortionist family that are listed below.  

Scorpio ransomware 

Scorpio ransomware is believed to be the first new update to the original variant of Scarab ransomware. The most noticeable features of this virus are its ability to crack the computer in multiple different stages.

Firstly, it settles on the computer with the help of bogus scripts executed via Command Prompt Admin. The next phase encompasses data encryption. Scorpio ransomware scans the system for targeted files, applies AES cipher to lock them, and eventually appends .[Help-Mails@Ya.ru].scorpio file extension to distinguish them from the others. The final phase is informative. Scorpio virus generates a ransom note named IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.txt. The file contains a unique victim's ID, and contact information, including email address (Help-Mails@Ya.Ru and alexous@bk.ru).

Scarab-Crypto ransomware 

Scarab-Crypto is the name of the next Scarab ransomware version detected in the second half of March 2018. Just like its ancestors, it uses AES cryptography and targets the most popular file types. Its distinctive feature is a .crypto file extension and HOW TO RECOVER ENCRYPTED FILES.TXT file. It instructs the victim to email Scarab-Crypto ransomware developers via anticrypto@protonmail.com and indicate a personal identification number.

Extortionists should subsequently unlock two files encrypted by Scarab-Crypto for free to claim their trustworthiness. The sum of the payment is not revealed in the note, but the victim is demanded to initiate a transaction via Bitcoin wallet asap to get a decryptor.

Scarab-cryptor example
Cybercriminals developed a new version, called Scarab-Cryptor.

Scarab-Amnesia

Spotted at the end of March 2018, this new version spreads via Necurs botnet and executed its payload when the potential victim extracts a 7Zip email attachment. Likewise other Scarab versions, it uses AEX-256 encryption algorithm. However, it can easily be distinguished from the rest of Scarab versions by an .amnesia file extension added to locked files. The list of targeted files:

.Png, .psd, .pspimage, .tga, .thm, .tif, .tiff, .yuv, .ai, .eps, .ps, .svg, .indd, .pct, .pdf, .xlr, .xls, .xlsx, .accdb, .db, .dbf, .mdb, .pdb, .sql, .apk, .app, .bat, .cgi, .com, .exe, .gadget, .jar, .pif, .wsf, .dem, .gam, .nes, .rom, .sav, .dwg, .dxf, .gpx, .kml, .kmz, .asp, .aspx, .cer, .cfm, .csr, .css, .htm, .html, .js, .jsp, .php, .rss, .xhtml, .doc, .docx, .log, .msg, .odt, .pages, .rtf, .tex, .txt, .wpd, .wps, .csv, .dat, .ged, .key, .keychain, .pps, .ppt, .pptx, .ini, .prf, .hqx, .mim, .uue, .7z, .cbr, .deb, .gz, .pkg, .rar, .rpm, .sitx, .tar.gz, .zip, .zipx, .bin, .cue, .dmg, .iso, .mdf, .toast, .vcd, .sdf, .tar, .tax2014, .tax2015, .vcf, .xml, .aif, .iff, .m3u, .m4a, .mid, .mp3, .mpa, .wav, .wma, .3g2, .3gp, .asf, .avi, .flv, .m4v, .mov, .mp4, .mpg, .rm, .srt, .swf, .vob, .wmv, .3d, .3dm, .3ds, .max, .obj, .r.bmp, .dds, .gif, .jpg, .crx, .plugin, .fnt, .fon, .otf, .ttf, .cab, .cpl, .cur, .deskthemepack, .dll, .dmp, .drv, .icns, .ico, .lnk, .sys, .cfg.

Scarab-Amnesia ransomware informs its victims about the current situation and the steps he or she has to take to decrypt files on a HOW TO RECOVER ENCRYPTED FILES.TXT file. Typically, it is stored on the desktop, but can also be found on random folders that contain files with .amnesia file extensions.

Scarab-Please ransomware

At the end of March 2018, security experts discovered Please ransomware that is using AES encryption to modify targeted files. It is appending .please file extension to target data and dropping a ransom note “HOW TO RECOVER ENCRYPTED FILES.TXT” on a desktop. This message informs the victim to use an email called decry1@cock.li or decry2@cock.li to contact its developers and get further instructions needed for the recovery of affected files. Cybercriminals are also claiming that the victim can test the decryption procedure to ensure that it is possible. However, we do not recommend contacting hackers. Ransomware also can make changes to Windows registry key so this is better be deleted soon. 

Scarab-Decrypts ransomware

It is yet another version of ransomware. It's more or less similar to its ancestors, though exhibits different file extensions and the ransom note. Written on Delphi, it takes advantage of AES-256 cipher to attack victim's files and render them useless by altering their file extension. 

Following the encryption phase, each locked file gets either .decrypts @ airmail.cc or .decryptsairmail.cc file extension. Consequently, the owner cannot dispose of them in any way. The Scarab-Decrypts ransomware provides its victims with a ransom note called HOW TO RECOVER ENCRYPTED FILES-decrypts@airmail.cc.TXT.  It does not say much, except that the files have been encrypted and provides an email address which asks the victim to contact to decrypts@airmail.cc and provide a unique identification number for further instructions. You can see an example of the Scarab-Decrypts ransom note below.

Scarab-Decrypts ransomware variant
Scarab-Decrypts is a different version of the original virus.

Scarab-Horsia

Horsia ransomware version was spotted at the beginning of May 2018. Disguised under 7Zip and otherwise named email attachments, the ransomware targets English-speaking PC users. Once it's installed, malicious processes start running in the background to protect the Horsia ransomware from removal. 

Encrypted files are easy to notice as they get .horsia@airmail.cc file extension, which cannot be modified manually. Besides, each folder, including the desktop, contains a HOW TO RECOVER ENCRYPTED FILES.TXT file explaining the current situation, including payment and contact information. The full ransom note reads as follows: 

Scarab-Walker

This version of the dangerous cyberthreat and was spotted by security experts shortly after Horsia variant came out. Just as all previous versions, Walker ransomware users AES cryptography to encrypt files. It changes all media, video, text and other personal files and makes them unusable by adding .JohnnieWalker extension. 

As usual, after data encryption, Scarab-Walker virus drops a ransom note in the .txt format, explaining the situation to the user. Hackers demand payment in Bitcoins. Soon after the ransom is paid, users are prompted to e-mail JohnnieWalker@firemail.cc and include their personal ID. Additionally, cybercrooks offer to unlock one file to prove that data is decryptable.

Scarab-Walker ransomware
Scarab-Walker is another variant of the virus which has started spreading in the middle of 2018.

Fastrecovery@airmail.cc

Additionally, the malware reappeared in June 2018 with the .fastrecovery@airmail.cc file extension to mark each of the affected files. The virus drops a ransom note HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT into each folder which explains about files' encryption using RSA-2048 cipher. The only way to recover locks files is said to be a special decryprion key that is stored by criminals on a remote server.

Scarab-Osk

Scarab-Osk is encrypting data by using AES cipher. It is using .osk extension to mark every affected file. Hackers ask for 0.013 Bitcoin in HOW TO RECOVER ENCRYPTED FILES.txt message to be paid and then email sent to translatos@protonmail.com for further instructions and the decryptor. As usual, we advise refraining yourself from contacting cybercrooks and restore all encoded data using a backup.

Scarab-DiskDoctor ransomware

DiskDoctor ransomware is still encrypting files with the same AES-256 encryption algorithm. Differently from previous variants, this one appends .DiskDoctor file extension to the targeted files. But it still displays data recovery instructions in the text file called “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.”

In the ransom note, crooks demand to contact them via DiskDoctor@protonmail.com email address in order to learn about data recovery possibilities. However, we do not recommend trying to get back your files in this way. Crooks will demand to transfer a few hundreds of dollars in Bitcoins in order to get a decryption tool. However, once you make a transaction, they might disappear and never give you a needed tool. Hence, you should remove DiskDoctor from the computer ASAP.

Scarab-DiskDoctor version
Scarab-DiskDoctor is a file-encrypting virus which compromises the data by appending .DiskDoctor extension.

Scarab-Good ransomware

In June 2018, researchers detected a few version of Scarab and this one is decryptable with Dr. Web. “.good” is a file extension that virus adds to modified files and “filedecryption@prorotnmail.com” is the contact email address. As typical for the Scarab family ransom note is placed in file “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.”. This contains information about encryption and what to do but no specifics about the ransom or decryption. This virus version came to the light alongside other ones. 

Leen ransomware

Just like its name suggests, Leen ransomware is using “.leen”  to each of the files that become modified. As soon as that is complete, a ransom note is placed in every folder. “INSTRUCTIONS FOR RESTORING FILES.TXT.” contains information about this certain attack:

Contact us using this email address: mr.leen@protonmail.com

Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).

Cybercriminals demand unspecified payment in Bitcoins and suggest victims contact them via email “mr.leen@protonmail.com.” in order to get a key or more information.

Danger ransomware

Danger ransomware is decryptable with Dr. Web, but it is different from the most of the members in the family because this version uses RSA-2048 encryption algorithm. “.fastrecovery@xmpp.jp” is a file extension that this virus adds after the modification is complete. Typical “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.” ransom message placed on pretty much every folder on the PC. Information about changing contacts and encryption method is the main useful things in the note. No specific ransom amount just email address “fastrecovery@xmpp.jp” that changes after three days.

Oneway ransomware

Difficult weeks in the cyber-security world while Scarab develops new variants each week. This version is targeting Russian-speakers because while this adds “.oneway” file extension the ransom note called “Расшифровать файлы oneway.TXT.” Email address “bm15@horsefucker.org” is provided in the message and the note contains more information about test decryption and the attack itself. 

Scarab- BtcKING ransomware

BtcKING ransomware came with more similar patterns. Encryption is done in a similar way and “.BtcKING” file extension looks like other previous versions. Also, this variant places ransom message called ” How To Decode Files.txt” on every existing folder on the system and desktop. This ransomware also came in June 2018 alonside other dangerous versions. 

Scarab-Horsia ransomware version
Scarab-Horsia virus "congratulates" its victims with the infection.

Bomber ransomware

Another ransomware targeting Russian victims. This ransomware appends photo, video, text and other files with “.bomber” file extension so it is easily detected which ones are modified. After this encryption process is completed virus creates a ransom note “HOW recover encrypted FAYLY.TXT” and you can have more details about the attack. This is placed on your desktop and in every folder where you can find modified files. This version displays soft2018@tutanota.com; soft2018@mail.ee; newsoft2018@yandex.by as possible contact emails. 

JungleSec ransomware

JungleSec version of Scarab has more specific details. Encryption is done while appending “.jungle@anonymousspechcom” extension to modified files. And after that ransom note, “ENCRYPTED.md” is placed in multiple places on the system. In this file, you can discover that virus developers demand certain 0.3 in Bitcoin and state their contact email as “junglesec@anonymousspeech.com” which you are suggested to contact after the payment is done. This version has no decryption option. 

Recme ransomware 

Recme ransomware is one of the newest variants discovered in late June of 2018, with classical Scarab encryption patterns. After the encryption process, during which “.recme” file extension is placed on your photos, videos, text or archive files, this ransomware creates ransom message called “HOW_TO_RECOVER_ENCRYPTED_FILES.txt.”. In this message, you can find more details about the cyber attack.

Scarab-Amensia ransomware variant
Scarab-Amensia is a crypto-malware which has emerged from the initial Scarab ransomware.

Scarab-Dan ransomware 

This version of Scarab ransomware came alongside the previous five is the one that adds “.dan@cock.email” file extension to targeted files. These can be anything from images, photos or videos to text files or even archives. After this modification is complete you can find ransom note file “HOW TO RECOVER ENCRYPTED FILES-dan@cock.emai.TXT”. This is a ransom message that often contains various information about the initial attack and instructions for the victim. 

Scarab-Recovery ransomware

Scarab-Recovery came out in early July 2018. The virus is written in Delphi programming language and uses AES to lock up data. The crypto-virus adds .BD.Recovery extension to each of the affected file and drops ransom note “HOW TO RECOVER FILES.TXT” which states that victims should email crooks via bd.recovery@aol.com or bd.recovery@india.com. However, hackers should never be contacted as it can result in a loss of money.

Scarab-Turkish ransomware

As the name suggests, this version of Scarab focuses on Turkish PC users. However, all the Turkish characters were replaced by English letters, making it impossible to understand. The virus uses AES to encrypt data and ads [Firmabilgileri@bk.ru] appendix to each of the affected files, which is also a contact email of cybercriminals. As usual, we suggest you ignore cybercrooks and remove Scarab-Turkish from your machine ASAP.

Scarab-Barracuda ransomware

The latest variant of crypto-virus is dubbed Scarab-Barracuda because it encrypts files and adds .BARRACUDA file extension. The virus is closely related to Scarab-Rebus and can be decrypted. Therefore, do not waste your money and do not pay cybercrooks. Merely contact security experts who can help to decode data. Unlike many other versions, Barracuda ransomware drops a ransom note which includes its name in it – BARRACUDA RECOVERY INFORMATION.TXT. Cybercriminals are trying their best to scare users with the following:

Attention!
Do not attempt to remove a program or run the anti-virus tools
Attempts to decrypt the files will lead to loss of Your data
Decoders other users is incompatible with Your data, as each user unique encryption key

Scarab-zzzzzzzz ransomware

In 2019, the owners of Scarab ransomware returned with a new file extension used to block victims' files and convince them to pay the ransom. At the moment, the virus is appending .zzzzzzzz file extension after using an encryption algorithm to scramble the code of separate files. Keys which are required to unlock encrypted files and saved in external servers which can be reached only by cybercriminals. According to the ransom note, victims have 5 days to unlock files by paying a ransom. The payment should be made either in Bitcoin or Dash cryptocurrency. Zzzzzzzz ransomware is not decryptable yet, just like numerous other versions of Scarab. If infected, use third-party tools to unlock your files.

Scarab crypto-virus
The image of Scarab virus ransom note.

Ssimpotashka@gmail.com ransomware

Ssimpotashka@gmail.com ransomware is one of the variants that resurfaced after its initial release in July 2018. Almost two years later, users started reporting infections of this Scarab version once again. Since the malware is using an improved RSA algorithm to lock files, it cannot be decrypted with previously-working methods, unless working backups are retained.

Soon after the infiltration, the Ssimpotashka@gmail.com virus begins performing the necessary changes to make the machine ready for data encryption. Malware targets hundreds of file types, although it skips system and some executable files for the computer to be functional after the infection (the goal of ransomware is not to destroy Windows per se – hackers seek to retrieve money from ransom payments instead).

After the encryption, each of the affected files receives a marking .Ssimpotashka@gmail.com, and can no longer be accessed. For data recovery, users need to email the attackers and then pay a ransom (typically in bitcoin cryptocurrency) to retrieve a decryption tool with a unique key. The information about the infection and further actions can be found in a ransom note HOW TO RECOVER ENCRYPTED FILES.txt file, which is dropped in several places on victims' computers.

.rbs file extension virus

The first renewed Scarab version that surfaced in 2020 is dubbed as .rbs file extension virus. According to its founders, the ransomware is spread via spam emails that contain malicious .exe or .zip attachments. It is using a sophisticated RSA encryption algorithm to lock files and mark each of them with the .rbs appendix. 

Upon successful encryption of the victim's data, it drops a ransom note TO HOW DECRYPT files.txt, which demands to pay 0.1 BTC on Bitcoin Wallet 1GPUVdXsW6T57aUAJuQ2sWx4X2M76MAQmr 2. Once the payment is transferred, the victim is supposed to contact criminals via a madeinussr@protonmail.com email address. 

Criminals promise to react to the payment within 24 hours. In case no response is received, criminals ask the victim to download a Bitmessage[4] and send a message to the BM-2cWQjc8pWXmMMrRh26ADg1XXMbtZ4UpdbA member. 

.ncov ransomware

Spotted on February 25, 2020, the .ncov file extension virus turned out to be another family member of the infamous Scarab. The ransomware has been reported by several cybersecurity community members who have fallen victims to this malicious virus. 

Just like its predecessors, it uses a complicated RSA cipher to lock files and then generates a ransom note Note: Data Decryption Guide.TXT on the desktop and multiple system's folders. The .ncom ransomware virus seems to be targeting Russian-speaking countries predominantly as its ransom note is written in Russian and has no translation into English or other languages. The victim attacked by the .ncov ransomware is expected to contact crooks via ncov@cock.li and transfer the ransomware payment within 24 hours. After that, the payment doubles and gets fixed after 72 hours period. 

Scarab ransomware versions 2020
Scarab ransomware keeps evolving in 2020. Over five new versions have already been released since the beginning of the year

Cov19 ransomware virus

Cov19 ransomware is the latest member of the Scarab family. As soon as Coronavirus pandemic gathered momentum, cybercriminals started leveraging the COVID-19 theme as a name for new cyber infections. Apart from thousands of Covid-19 spams, criminals use Coronavirus reference for ransomware too. Crooks behind Scarab are not exceptional. 

The Scarab Cov19 ransomware virus has resurfaced in the middle of May 2020. The basic features of the virus are reminiscent of the original, except for the .cov19 file extension and a new name for the ransom note, which is TO RECOVER.TXT. The note:

Hello, 

Many vulnerabilities detected on your server. 
Because of this, all your files have been encrypted with the strongest encryption. 
All attempts to decrypt files on their own will lead to data corruption.
Antivirus operation can permanently damage the files.
Gather information about identifiers and sent it by mail.
Remember that your keys are not stored for long and can be automatically deleted. 
No data recovery company can recover it. Recovery company will be contacted by we on the indicated mail. 
For information on decoding, please write to the email FushenKingdee@protonmail.com
Your files are now encrypted!

Please do not pay the ransomware. Experts are currently under investigation if the files encrypted by .cov19 extension can be decrypted for free. We recommend removing the ransomware asap and contact reputable vendors for help. 

Bomba ransomware

Bomba ransomware is the summer 2020 edition of Scarab ransomware virus. It has been detected at the beginning of June disguised under malicious .ZIP email attachments. The emails carrying this virus tend to imitate order confirmations, though the senders and content vary. 

Once the payload is launched, the virus starts the changes within system's settings and unravels the cipher (AES + RSA), which locks files using the .bomba file extension. Subsequently, all pictures, photos, docs, music files, etc. can't be opened or renamed. 

Also dubbed as .bomba file extension virus, this ransomware cannot be decrypted for free. Therefore, if you don't have backups, you have two options – either write an email to the logiteam@protonmail.com with a unique identifier (a long string of letters and numbers provided on the ransom note) and pay the redemption for criminal or backup locked files on the external hard drive, inform cybersecurity experts (.e.g Dr. Web who are already capable of decrypting some of Scarab ransomware versions) and wait for the decryption software. 

Bomba ransomware virus
The latest Scarab variant is dubbed as Bomba ransomware, which spreads via spam email attachments and locks files like its predecessors

By the way, criminals behind the Bomba virus provide their victims with a privilege – they allow sending 3 files (up to 10mb) for free decryption. That's test decryption to prove the potential payers that the Scarab decryption key that they have is fully functional. 

Anyway, Bomba ransomware removal is a must since ransomware can also be used for the backdoor of banking trojans, spyware, or other malicious entries. Use a professional security program to delete the malicious ransomware files altogether and then recover the machine with Reimage Reimage Cleaner Intego repair tool. 

Hackers are taking advantage of the infamous Necurs botnet to distribute the virus 

Necurs botnet is infamous for the distribution of different ransomware-type infections. In November, cybersecurity experts have also detected it spreading the Scarab virus[5]. Criminals are aiming to affect computers located in[6]:

  • Australia;
  • Germany;
  • United Kingdom;
  • France.

At the moment of writing, the botnet already sent about 12.5 million emails with a malicious 7Zip archive with the Visual Basic script that downloads and executes the third version of the virus.

These subject line of these emails are made by this scheme: “Scanned from [printer/scanner company name].” Currently, the most popular versions of titles are:

  • Scanned from Lexmark;
  • Scanned from Canon;
  • Scanned from HP;
  • Scanned from Epson.

The infected archive itself is named image2017-11-23-4360760.7z. However, the name of this file might change based on the distribution data. Therefore, users are advised to be careful and watch out emails sent from copier@[your email address or company’s domain].

Scarab ransomware
Different versions of Scarab malware delivers slightly changed ransom notes.

Spam emails is yet another method used to spread Scarab

The authors of this crypto-malware continue to distribute the virus in the old-school way which relies on malicious spam emails[7]. Cybersecurity experts have detected an enormous wave of malicious emails distributed with the help of Necurs botnet in the late 2017. The content of the letter included VBS scripts disguised as innocent scanned documents in 7Zip archive.

Therefore, users should be aware of potential dangers that might be sent straight to the inbox. Keep in mind that if you do not retain rational thinking and cautiousness, no anti-virus will be able to save you from Scarab hijack or another malware infiltration. In addition, note that some hackers still use old trickery: visiting a corrupted site, you may notice a fake alert prompting to update your Java or Adobe Flash Player.

The only way to get rid of Scarab ransomware is a reliable malware removal tool

Our security experts understand how threatening it might seem to lose encrypted data by trying to remove Scarab ransomware. Although, the only way to decrypt files without paying the ransom is to get rid of this cyber threat with a robust antivirus. We suggest using Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner. or Malwarebytes. Afterward, you will be able to try alternative data recovery methods presented below.

In case you cannot launch your security software, take a look at the bottom instructions. They should help you launch it and overcome this issue. However, note that the cybersecurity application does not decode files and can help you only for Scarab ransomware removal.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Scarab virus, follow these steps:

Remove Scarab using Safe Mode with Networking

In case the computer is out of control, you may find this method quite effective. After that, you will be able to launch an anti-spyware tool and remove Scarab virus permanently.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Scarab

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Scarab removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Scarab using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Scarab. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Scarab removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Scarab from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Scarab, you can use several methods to restore them:

Data Recovery Pro method

In case, you had not back up your files before the malware encoded the files, Data Recovery Pro software might grant you the solution. It is especially handy for recovering damaged files. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Scarab ransomware;
  • Restore them.

The benefit of Windows Previous Versions

This method might be effective for restoring encoded data if System Restore was previously enabled. On the other hand, some users may find it inconvenient as they have to go through each file and perform the following steps.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Scarab malware and ShadowExplorer

The latest version of the virus is designed to delete Shadow Volume Copies. However, if you are extremely lucky and it did not delete them, you should try ShadowExplorer for data recovery.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Scarab decryptor is not available yet

The official Scarab decryptor still hasn't been released as of April 2018. However, Dr. Web announced that file decryption for some Scarab versions is possible. Therefore, you can send few encrypted files to emte@adc-soft.com (together with ransom note) and see if security experts can help you.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Scarab and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References

Removal guides in other languages


Your opinion regarding Scarab ransomware virus