Severity scale:  

Scarab ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

Scarab – a ransomware virus that keeps coming back with new versions

The picture illustrating Scarab malware

Questions about Scarab ransomware virus

Scarab is a group of crypto-ransomware[1] infections, which can also be referred to as Scorpio, Amnesia, Crypto, Please, and Horsia. The latest version appeared shortly after Horsia (in mid-May) and is dubbed Walker ransomware. It attacks English- speaking users with the help of Necurs botnet[2], 7Zip email attachments, rogue Flash Player, and Exploit Kits. It appends a .JohnnyWalker file extension to each encrypted file and drops a ransom note HOW TO DECRYPT WALKER INFO.txt, which urges the victim to contact hackers via address to find out the size of redemption and payment instructions. Each Scarab variant relies on the AES-256 encryption algorithm and asks to pay a ransom in Bitcoins. 

Name Scarab
Type Ransomware
Versions [email].scarab, [email].scorpio, [].scarab, Scarab-Amnesia, and Scarab-Crypto, Scarab-Please, Scarab-Decrypts, Scarab-Horsia, Scarab-Walker
Danger level High. Locks personal files and demands for a ransom. Can cause permanent data loss
Cryptography AES-256
File extensions .scarab, [email].scarab, [email].scorpio, [].scarab, .amnesia, .crypto, .please,,,, .JohnnieWalker
Language translated English, Russian
Distribution Necurs botnet, 7Zip email attachments, fake Java or Adobe Flash Player updates, corrupted remote desktop apps
Decryption Dr. Web announced that some Scarab encryped files can be decrypted. Users should send an email to with few examples together with the ransom note
Removal Manual removal is not possible. To get rid of Scarab ransomware and its variants, download Reimage and run a full system scan

All video, music, picture, document and similar personal data gets locked by adding the appendix to each of the files. The initial Scarab version uses [email].scarab, [email].scorpio, and [].scarab suffixes. The next variant is dubbed as .please file extension virus. It appends .please file extension and provides instructions in the text file named HOW TO RECOVER ENCRYPTED FILES.TXT. 

Although experts considered Scarab virus to be discontinued, the recent reports deny that. At the end of March 2018, ransomware researchers disclosed three improved versions of the malware. Dubbed as Scarab-Amnesia ransomware, it's one of the recent versions that uses AES cipher to lock personal files and attaches an .amnesia file extension to the targeted file types. Upon successful unravel of the payload and encryptor, the ransomware generates a HOW TO RECOVER ENCRYPTED FILES.TXT, which instructs the victim to pay the ransom within 72 hours in Bitcoins.

Crooks did not confine themselves to the Scarab-Amnesia ransomware detected approximately a month ago. In the beginning of April 2018, ransomware researchers publicly announced the new Scarab version dubbed as Scarab-Decrypts. Just like its ancestors, it renders AES-256 cipher to lock files and practice the same distribution techniques. However, it can be distinguished from the rest of the others by or file extensions, and the HOW TO RECOVER ENCRYPTED ransom note. 

Scarab ransomware decryptor has not been yet created, so it is quite difficult to retrieve files back. However, in April 2018, Doctor Web announced[3] that some cases of Scarab ransomware can be decrypted. For that, victims should send the ransom note HOW TO RECOVER ENCRYPTED FILES – and 3-4 encrypted files to the email If you have been infected with Scarab – try this method for file decryption. If it does not work for you, we suggest other methods that can be used below this article.

Scarab ransomware

Originally the ransom note has been written in the Russian language, but the current Scarab-Amnesia Ransomware version is actively circulating on the net is translated into English. Besides, the text of this ransomware note is a copied, though slightly shortened, version of the original Scarab ransom note. 

Your personal ID
Your files, documents, photo, databases and all the rest aren't 
      They are ciphered by the most reliable enciphering.
      It is impossible to restore files without our help.
      You will try to restore files independent you will lose files
You will be able to restore files so:
to contact us by e-mail: WESTLAN@PROTONMAIL.CH 
* report your ID and we will switch off any removal of files
(if don't report your ID identifier, then each 24 hours will be
to be removed on 24 files. If report to ID-we will switch off it)
* you send your ID identifier and 2 files, up to 1 MB in size everyone.
We decipher them, as proof of a possibility of interpretation.
also you receive the instruction where and how many it is necessary to pay.
you pay and confirm payment.
after payment you receive the DECODER program. which you restore ALL YOUR FILES.

You have 72 hours on payment.
If you don't manage to pay in 72 hours, then the price of interpretation increases twice.
The price increases twice each 72 hours.
To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours.
Address for detailed instructions e-mail:
     * If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour.
     * If you try to decipher – you can FOREVER lose your files.
     * Decoders of other users are incompatible with your data as at each user unique key of enciphering
If it is impossible to communicate through mail
     * Be registered on the website (service online of sending Bitmessage)
     * Write the letter to the address BM-2cVNaCJejHJpnyLrtXYGJVfVdviHfa1jpd with the indication of your mail and the personal identifier and we will communicate.  

Scarab-Amensia ransomware variant

Scarab-Crypto is the name of the next Scarab ransomware version detected in the second half of March 2018. Just like its ancestors, it uses AES cryptography and targets the most popular file types. Its distinctive feature is a .crypto file extension and HOW TO RECOVER ENCRYPTED FILES.TXT file. It instructs the victim to email Scarab-Crypto ransomware developers via and indicate a personal identification number.

Extortionists should subsequently unlock two files encrypted by Scarab-Crypto for free to claim their trustworthiness. The sum of the payment is not revealed in the note, but the victim is demanded to initiate a transaction via Bitcoin wallet asap to get a decryptor.

Scarab-Please, the latest variant, is identical to the other versions described, except that it uses .please file extension and switched to and email addresses. 

The ransom note instructs to provide the personal identifier and contact the felons via provided email address. Updated variants of Scarab virus use different email addresses for communication with victims. Currently known emails used by criminals:

  • Help-Mails@Ya.Ru;

Scarab virus proliferation in 2018

In order to earn users trust, the developers offer to decrypt three files up to 1 MB in size for free. However, felons do not indicate the sum of the ransom but rather urge affected users to contact them as soon as possible since the deadline of the ransom payment ends after 72 hours.

Following these orders is not recommended. Cybercriminals cannot be trusted in any way, so after paying the ransom you may be left without both money and files. Security experts recommend victims to remove Scarab ransomware instead using a professional anti-malware tool, like Reimage or Malwarebytes Anti Malware.

Once you complete the Scarab removal, you will be able to recover the biggest or even all of encrypted files using third-party data recovery tools. You can find a comprehensive decryption tutorial at the end of this article. Alternatively, you can email few encrypted files to Dr.Web ( and see if security experts can decrytpt files for you. 

Scarab scorpio file extension version

Necrus botnet distributes Scarab ransomware

On the 23rd of November, security experts spotted Necrus spreading a new Scarab campaign[4]. The virus mostly targets the United Kingdom, Australia, France, and Germany.[5]

At the moment of writing, the botnet already sent about 12.5 million emails with malicious 7Zip archive with the Visual Basic script that downloads and executes the third version of the virus.

These subject line of these emails are made by this scheme: “Scanned from [printer/scanner company name].” Currently, the most popular versions of titles are:

  • Scanned from Lexmark;
  • Scanned from Canon;
  • Scanned from HP;
  • Scanned from Epson.

The infected archive itself is named image2017-11-23-4360760.7z. However, the name of this file might change based on the distribution data. Therefore, users are advised to be careful and watch out emails sent from copier@[your email address or company’s domain].

Scarab-cryptor example

Once users open this file, Scarab payload is dropped on the system. Then it starts encrypting files and appending .[].scarab file extension. However, differently than the previous versions of the virus, this one does not change original names of the files. The virus also deletes Shadow Volume Copies and disables other Windows recovery features. Thus, data decryption is nearly impossible.

Once the process is over, it downloads ransom notes in each folder that contain encrypted documents. The IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT file is opened automatically and asks victims to send an email to to learn the cost of the data recovery.

However, paying the ransom is not a solution. A complete Scarab removal is the best option you have to restore system's performance. Received Bitcoins is a motivation for criminals to continue their illegal projects. Besides, they may not keep their promise and do not give you working decryptor.

Different versions of Scarab ransomware

Scorpio ransomwareIt's the second variant of the Scarab ransomware, which attacks the system in phases. The first phase is to unravel the payload and roots the virus into the OS by running malicious scripts via Command Prompt with administrator's privileges.

The next phase encompasses data encryption. Scorpio ransomware scans the system for targeted files, applies AES cipher to lock them, and eventually appends .[].scorpio file extension to distinguish them from the others.

The final phase is informative. Scorpio virus generates a ransom note named IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.txt. The file contains a unique victim's ID, and contact information, including email address (Help-Mails@Ya.Ru and

Similarly to other family members, Scorpio virus developers promise to unlock three files (less than 5 Mb) to grant the victim that they are capable of decrypting personal files. However, instead of establishing contact with cyber crooks, we recommend initiating Scorpio removal asap. 

Scarab-Amnesia. Spotted at the end of March 2018, this new version spreads via Necurs botnet and exewcuted its payload when the potential victim extracts a 7Zip email attachment. Likewise other Scarab versions, it uses AEX-256 encryption algorythm. However, it can easily be distinguished from the rest of Scarab versions by an .amnesia file extension added to locked files. The list of targeted files:

.Png, .psd, .pspimage, .tga, .thm, .tif, .tiff, .yuv, .ai, .eps, .ps, .svg, .indd, .pct, .pdf, .xlr, .xls, .xlsx, .accdb, .db, .dbf, .mdb, .pdb, .sql, .apk, .app, .bat, .cgi, .com, .exe, .gadget, .jar, .pif, .wsf, .dem, .gam, .nes, .rom, .sav, .dwg, .dxf, .gpx, .kml, .kmz, .asp, .aspx, .cer, .cfm, .csr, .css, .htm, .html, .js, .jsp, .php, .rss, .xhtml, .doc, .docx, .log, .msg, .odt, .pages, .rtf, .tex, .txt, .wpd, .wps, .csv, .dat, .ged, .key, .keychain, .pps, .ppt, .pptx, .ini, .prf, .hqx, .mim, .uue, .7z, .cbr, .deb, .gz, .pkg, .rar, .rpm, .sitx, .tar.gz, .zip, .zipx, .bin, .cue, .dmg, .iso, .mdf, .toast, .vcd, .sdf, .tar, .tax2014, .tax2015, .vcf, .xml, .aif, .iff, .m3u, .m4a, .mid, .mp3, .mpa, .wav, .wma, .3g2, .3gp, .asf, .avi, .flv, .m4v, .mov, .mp4, .mpg, .rm, .srt, .swf, .vob, .wmv, .3d, .3dm, .3ds, .max, .obj, .r.bmp, .dds, .gif, .jpg, .crx, .plugin, .fnt, .fon, .otf, .ttf, .cab, .cpl, .cur, .deskthemepack, .dll, .dmp, .drv, .icns, .ico, .lnk, .sys, .cfg.

Scarab-Amnesia ransomware informs its victims about the current situation and the steps he or she has to take to decrypt files on a HOW TO RECOVER ENCRYPTED FILES.TXT file. Typically, it is stored on the desktop, but can also be found on random folders that contain files with .amnesia file extensions.

Extortionist demand to pay the redeem asap. Each procrastinated 24 hours will result in deletion of 24 personal files. The deadline for the payment is 72 hours. The sum of the ransom is not clear, but the victim is supposed to exchange currency into Bitcoins and transfer the required fractions to the BM-2cVNaCJejHJpnyLrtXYGJVfVdviHfa1jpd wallet.

Additionally, crooks provide a contact email address in case the ransomware victim opts for more detailed instructions. However, instead of paying the ransom, we recommend you to install Reimage and remove Scarab-Amnesia ransomware. After that, you can recover encrypted data from backups or use third-party data recovery tools.

Scarab-Crypto. Dubbed as .crypto Scarab ransomware version, the crypro-malware manifested along with Scarab-Amnesia virus described above. While both of them are similar in terms of design and perfrormane, Scarab-Crypto locks files using AES cipher and appends. crypto file extension.

In addition to the suffix appended, the virus creates a HOW TO RECOVER ENCRYPTED FILES.TXT ransom note, which additionally explains what can be done to get locked files back. The developers asks the victim to email them via and send a personal identification number along with two encrypted files. The victim should get an answer with the two files unlocked as a prove that the paid Scarab-Crypto decryptor works.

The ransom payment should be payed in Bitcoins within 24 hours. Delayed transfer is said to result in deletion.
Beware that manual Scarab-Crypto removal is not possible. Once executed, it corrupts data on %AppData%, %Local%, %LocalRow%, %Roaming%, and %Temp% folders. Besides, it runs scrips to change registry entries. The only reliable way is to remove Scarab-Crypto with Reimage or another professional anti-malware. 

Scarab-Please is the latest version of Scarab ransomware, which has been detected at the end of March 2018. It uses AES cipher to decrypt targeted files and appends .please file extension to each of them.

The Scarab-Please ransomware creates a ransom note HOW TO RECOVER ENCRYPTED FILES.TXT on PC's desktop, which instructs the victim to send an email message to or and provide a personal ID number.

To prove that the promised Scarab-Please decryptor is working, criminals ask to send 1 or 2 encrypted files (smaller ones required) along with the ID number, which will be decrypted for free.

All your files have been encrypted!
Don't worry, you can return all your files!
If you want to restore files write on e-mail
2. (if first email unavailable)
Your ID:
6A02000000000000 *** A2E503
Send me your ID and 1-2 small encrypted files (for the total amount of files must be less than 1Mb (non archived)) for free decryption.
After that, I'll tell you the price for decryption all files.
Do not try to use other decryptor tools because it will destroy your files.

It's not yet known how big the ransom is, but based on older Scarab ransomware versions, the redeem varies from 200 to 500 USD. Crooks accept Bitcoin only. The decryptor is not yet available, but paying for the Scarab-Please decryptor does not guarantee that you'll get your files back anyway.

The wxmon.exe process might block Scarab-Please removal. If your anti-virus is blocked, try to disable this process manually. Otherwise, you may need to restart your PC and boot into Safe Mode with Networking. 

Scarab crypto-virus

Scarab-Decrypts – yet another version of Scarab. It's more or less similar to its ancestors, though exhibits different file extensions and the ransom note. Written on Delphi, it takes advantage of AES-256 cipher to attack victim's files and render them useless by altering their file extension. 

Following the encryption phase, each locked file gets either .decrypts @ or file extension. Consequently, the owner cannot dispose of them in any way. The Scarab-Decrypts ransomware provides its victims with a ransom note called HOW TO RECOVER ENCRYPTED  It does not say much, except that the files have been encrypted and provides an email address which asks the victim to contact to and provide a unique identification number for further instructions. You can see an example of the Scarab-Decrypts ransom note below.

Please do not pay the ransom required. Neither small not big. This way, you risk downloading spyware or worm to your PC, as well as losing your money for nothing. In case of infection, you should remove Scarab-Decrypts ransomware using Reimage and try alternative data recovery methods listed down below this article. 

Scarab-Decrypts ransomware variant

Scarab-Horsia. This Scarab version has been spotted in the beginning of May 2018. Disguised under 7Zip and otherwise named email attachments, the ransomware targets English-speaking PC users. Once it's installed, malicious processes start running in the background to protect the Horsia ransomware from removal. 

Encrypted files are easy to notice as they get file extension, which cannot be modified manually. Besides, each folder, including the desktop, contains a HOW TO RECOVER ENCRYPTED FILES.TXT file explaining the current situation, including payment and contact information. The full ransom note reads as follows: 

Your files are now encrypted!
Your personal identifier:

All your files have been encrypted due to a security problem with your PC.

Now you should send us an email with your personal identifier.
This email will be as confirmation you are ready to pay for a decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.

After payment, we will send you the decryption tool that will decrypt all your files.
Contact us using this email address:
If you don't get a reply or if the email dies, then contact us to

Free decryption as a guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non-archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).

How to obtain Bitcoins?

* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins,' and select the seller by payment method and price:
* Also you can find other places to buy Bitcoins and beginners guide here:

* Do not rename encrypted files.
* Do not try to decrypt your data using third-party software; it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our), or you can become a victim of a scam.

Scarab-Horsia ransomware version

Scarab-Walker. The newest version of the dangerous cyberthreat and was spotted by security experts shortly after Horsia variant came out. Just as all previous versions, Walker ransomware users AES cryptography to encrypt files. It changes all media, video, text and other personal files and makes them unusable by adding .JohnnieWalker extension. 

As usual, after data encryption, Scarab-Walker virus drops a ransom note in the .txt format, explaining the situation to the user. Hackers demand payment in Bitcoins. Soon after the ransom is paid, users are prompted to e-mail and include their personal ID. Additionally, cybercrooks also offer to unlock one file to prove that data is decryptable.

Scarab-Walker ransomware

Crooks sent thousands of phishing emails to infect users' PCs with ransowmare

Cyber criminals rely on the traditional ransomware distribution method – spam emails[6]. On November 2017, a massive malspam campaign with Scarab ransomware was pushed via Necrus botnet. These emails include fake scanned documents in the 7Zip archive that actually contains malicious VBS script.

Therefore, users should be aware of potential dangers that might be sent straight to the inbox. Keep in mind that if you do not retain rational thinking and cautiousness, no anti-virus will be able to save you from Scarab hijack or another malware infiltration. In addition, note that some hackers still use old trickery: visiting a corrupted site, you may notice a fake alert prompting to update your Java or Adobe Flash Player.

Remove Scarab ransomware and then proceed with file recovery procedure

Despite the warning not to change the names of encrypted files or remove the virus, we suggest you behave opposite. According to our security experts, you should remove Scarab ransomware with the assistance of a security application, for instance, Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus. However, make sure it is updated before a scan to be sure that there is a full virus database which is ready to find malicious files.

In case you cannot launch your security software, take a look at the bottom instructions. They should help you launch it and overcome this issue. However, note that cyber security application does not decode files and can help you only for Scarab ransomware removal.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Scarab ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Scarab ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Scarab virus Removal Guide:

Remove Scarab using Safe Mode with Networking

In case the computer is out of the control, you may find this method quite effective. After that, you will be able to launch an anti-spyware tool and remove Scarab virus permanently.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Scarab

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Scarab removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Scarab using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Scarab. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Scarab removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Scarab from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Scarab, you can use several methods to restore them:

Data Recovery Pro method

In case, you had not back up your files before the malware encoded the files, Data Recovery Pro software might grant you the solution. It is especially handy for recovering damaged files. 

The benefit of Windows Previous Versions

This method might be effective restoring encoded data if System Restore was previously enabled. On the other hand, some users may find it inconvenient as they have to go through each file and perform the following steps.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Scarab malware and ShadowExplorer

The latest version of the virus is designed to delete Shadow Volume Copies. However, if you are extremely lucky and it did not delete them, you should try ShadowExplorer for data recovery.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Scarab decryptor is not available yet

The official Scarab decryptor still haven't been released as of April 2018. However, Dr. Web announced that file decryption for some Scarab versions is possible. Therefore, you can send few encrypted files to (together with ransom note) and see if security experts can help you.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Scarab and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages