Scarab was first detected in June 2017 and is currently being distributed by the Necurs botnet through a large spam email campaign primarily targeting .com and .co.uk addresses. Emails appear to contain a scanned attachment and have been observed with subject lines including Scanned from Lexmark, Scanned from HP, Scanned from Canon, and Scanned from Epson. Scarab is delivered via a 7zip email attachment with VBScript that downloads and executes the ransomware. Scarab deletes shadow volume copies, appends the .[firstname.lastname@example.org].scarab extension to encrypted files, and drops a ransom note named IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT in each folder where files have been infected. According to the note, the ransom amount depends on how quickly victims respond to the attackers.
1/31/2018: A new version, dubbed Scarabey, was first discovered in December 2017 and targets Russian users via RDP and manual installation on severs and systems. The ransom note is written in Russian and threatens that additional files will be deleted for every day that users do not pay the ransom.
- Bleeping Computer provides additional information on Scarab here.
- The NJCCIC is not currently aware of any free decryption tools available for Scarab.