A new ransomware attack has been taking place, which sends the infamous Scarab ransomware through an email campaign. Similar to the ransomware attacks seen this year, this Scarab malware can destroy files on your system if you don’t pay ransom in Bitcoins. Discovered by security researchers at Forcepoint, attackers are spreading Scarab malware using the Necurs botnet that is known to send malicious emails. Also Read - Internet turns 25 in India: Here's how the next 25 years may look likeAlso Read - TikTok beats WhatsApp and Facebook in usage in rural India: Report
The massive email campaign has been active since November 23, and the botnet Necurs managed to spread over 12.5 million emails within six hours. The emails being distributed contain the Scarab malware. According to research findings, the botnet is sending emails to domains with .com, and this attack is affecting areas in the UK, Australia, France and Germany. The email is discovered to contain the subject “Scanned from (printer company name)”. This was the similar process seen during the spread of Locky ransomware. Also Read - Work from home: Essential gadgets and gear to maintain productivity and health
The malicious email has a 7zip attachment file, which contains a VBScript downloader. Upon further digging, the VBScript was found with many references to popular TV series, Game of Thrones. The most common references were with the names “Samwell” and “JohnSnow”, which are names of two popular characters on GoT. After the Scarab malware enters your system, it will start encrypting files and the affected files will have the extension “.[firstname.lastname@example.org].scarab”.
After this the affected files have title “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT”. This is basically a ransom note but the amount isn’t declared in it unlike past ransomware cases. Instead, the ransom note reads, “the price depends on how fast you write to us”. Forcepoint says that those systems activated with TRITON ACE have protection against the Scarab malware as it identifies and blocks it. It also prevents Scarab variants from being downloaded.