Severity scale:  

Scarab ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

The third version of Scarab spreads via Necrus botnet

The picture illustrating Scarab malware

Scarab started encrypting computer users files in June 2017. Back then the ransomware[1] appended [email].scarab file extension; however, it was soon updated and started using [email].scorpio extension. However, the third variant of malware was released in November 2017 spreading via Necrus botnet[2] and adding .[].scarab extension.

Scarab ransomware uses AES cryptography and renames files with Base64 code. Following data encryption, it drops a text file in each folder with encoded files. In the IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_ PLEASE_READ_THIS.txt file, crooks asked to contact criminals in order to learn data recovery possibilities.

The ransom note instructs to provide the personal identifier and contact the felons via provided email address. Updated variants of Scarab virus use different email addresses for communication with victims. Currently known emails used by criminals:

  • Help-Mails@Ya.Ru;

In order to earn users trust, the developers offer to decrypt three files for free. However, felons do not indicate the sum of the ransom but rather urge affected users to contact them as soon as possible in order to save money. Following these orders is not recommended because it might lead to money loss. Security experts recommend opting for automatic Scarab removal with Reimage or Malwarebytes Anti Malware.

Necrus botnet started pushing Scarab ransomware

On the 23rd of November, security experts spotted Necrus spreading a new Scarab campaign[3]. The virus mostly targets the United Kingdom, Australia, France, and Germany.[4]

At the moment of writing, the botnet already sent about 12.5 million emails with malicious 7Zip archive with the Visual Basic script that downloads and executes the third version of the virus.

These subject line of these emails are made by this scheme: “Scanned from [printer/scanner company name].” Currently, the most popular versions of titles are:

  • Scanned from Lexmark;
  • Scanned from Canon;
  • Scanned from HP;
  • Scanned from Epson.

The infected archive itself is named image2017-11-23-4360760.7z. However, the name of this file might change based on the distribution data. Therefore, users are advised to be careful and watch out emails sent from copier@[your email address or company’s domain].

Once users open this file, Scarab payload is dropped on the system. Then it starts encrypting files and appending .[].scarab file extension. However, differently than the previous versions of the virus, this one does not change original names of the files. The virus also deletes Shadow Volume Copies and disables other Windows recovery features. Thus, data decryption is nearly impossible.

Once the process is over, it downloads ransom notes in each folder that contain encrypted documents. The IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT file is opened automatically and asks victims to send an email to to learn the cost of the data recovery.

However, users should remove Scarab from the computer instead of paying the ransom. Received Bitcoins is a motivation for criminals to continue their illegal projects. Besides, they may not keep their promise and do not give you working decryptor.

Distribution methods of the ransomware are improving

Cyber criminals rely on the traditional ransomware distribution method – spam emails[5]. On November 2017, a massive malspam campaign with Scarab ransomware was pushed via Necrus botnet. These emails include fake scanned documents in the 7Zip archive that actually contains malicious VBS script.

Therefore, users should be aware of potential dangers that might be sent straight to the inbox. Keep in mind that if you do not retain rational thinking and cautiousness, no anti-virus will be able to save you from Scarab hijack or another malware infiltration. In addition, note that some hackers still use old trickery: visiting a corrupted site, you may notice a fake alert prompting to update your Java or Adobe Flash Player.

Automatic Scarab elimination guide

Despite the warning not to change the names of encrypted files or remove the virus, we suggest you behave opposite. According to our security experts, you should remove Scarab ransomware with the assistance of a security application, for instance, Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus. However, make sure it is updated before a scan to be sure that there is a full virus database which is ready to find malicious files.

In case you cannot launch your security software, take a look at the bottom instructions. They should help you launch it and overcome this issue. However, note that cyber security application does not decode files and can help you only for Scarab ransomware removal.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Scarab ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Scarab ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Scarab virus Removal Guide:

Remove Scarab using Safe Mode with Networking

In case the computer is out of the control, you may find this method quite effective. After that, you will be able to launch an anti-spyware tool and remove Scarab virus permanently.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Scarab

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Scarab removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Scarab using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Scarab. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Scarab removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Scarab from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Scarab, you can use several methods to restore them:

Data Recovery Pro method

In case, you had not back up your files before the malware encoded the files, Data Recovery Pro software might grant you the solution. It is especially handy for recovering damaged files. 

The benefit of Windows Previous Versions

This method might be effective restoring encoded data if System Restore was previously enabled. On the other hand, some users may find it inconvenient as they have to go through each file and perform the following steps.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Scarab malware and ShadowExplorer

The latest version of the virus is designed to delete Shadow Volume Copies. However, if you are extremely lucky and it did not delete them, you should try ShadowExplorer for data recovery.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Scarab decryptor is not available yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Scarab and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages