New ransomware variant dubbed Scarab being distributed using Necurs botnet

Scarab, a new ransomware variant, is being distributed by hackers via a massive e-mail phishing campaign by using the Necurs botnet.

Researchers have observed the presence of Scarab ransomware in as many as 12.5 million e-mails distributed by hackers using the Necurs botnet.

The campaign to spread the Scarab ransomware began at 7:30AM GMT yesterday and carried on throughout the rest of the day. However, alert researchers at Forcepoint Security Labs, who were the first to detect the ransomware, were able to intercept and block millions of e-mails between 7:30AM and 11AM.

E-mails sent out by hackers behind the spread of Scarab ransomware bear the subject "Scanned from {printer company name}” and contain 7zip attachments housing VBScript downloaders. The download domains used by hackers were previously compromised and used by them in hacking campaigns aided by the Necurs botnet.

YOU MAY ALSO LIKE:

The Necurs botnet is well known to security researchers as a distributor of ransomware and has been used by various hackers since 2015. In the same year, the botnet was, after the Kelihos Trojan, the second-most frequently used attack weapon to disrupt or to hack into UK businesses.

Between October and December 2015, cyber-attacks using the Necurs botnet grew 30 times and hackers often used a destructive cocktail of Necurs and Bedep, another Trojan, to attack businesses. As such, the return of the Necurs botnet poses a major threat to businesses as well as government organisations.

Once a Necurs botnet distributes and then installs a Scarab ransomware, the latter encrypts all system files and then drops a ransom note within each affected directory.

The ransom notes contain the headline 'IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS' and contain the following message for affected PC users:

'All your files have been encrypted due to a security problem with your PC.

'Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key.

'You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.'

Hacker behind the ransomware are asking users to send e-mails to suupport@protonmail.com or to contact them using a Bitmessaging link. Their ransom notes also contain instruction on how to obtain Bitcoins.

According to researchers at ForcePoint, the Bitmesssage option ensures that the hackers will continue to interact with affected PC users even if providers shut down e-mail addresses associated with the ransomware campaign.

'By employing the services of larger botnets such as Necurs, smaller ransomware players such as the actors behind Scarab are able to run a massive campaign with a global reach. It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns,' they noted.

The arrival of the Scarab ransomware takes place just a month after the world was rocked by Bad Rabbit: a drive-by ransomware attack which infected websites with fake Adobe installers, installed ransomware and then encrypted all system files.

To protect your organisation's systems from such ransomware attacks, David Matthews, Director for EMEA Security Industry at Unisys, suggests that you need to take a number of measures like keeping sufficient data backup to continue operations in the event of a malware attack, patching software with the latest security updates, using effective security controls, updating antivirus signatures, using leading antivirus services, and adopting micro-segmentation to stop threats spreading across systems.