Scarab was first detected in June 2017 and is currently being distributed by the Necurs botnet through a large spam email campaign primarily targeting .com and .co.uk addresses. Emails appear to contain a scanned attachment and have been observed with subject lines including Scanned from Lexmark, Scanned from HP, Scanned from Canon, and Scanned from Epson. Scarab is delivered via a 7zip email attachment with VBScript that downloads and executes the ransomware. Scarab deletes shadow volume copies, appends the .[firstname.lastname@example.org].scarab extension to encrypted files, and drops a ransom note named IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT in each folder where files have been infected. According to the note, the ransom amount depends on how quickly victims respond to the attackers.
- Bleeping Computer provides additional information on Scarab here.
- The NJCCIC is not currently aware of any free decryption tools available for Scarab.