Scarab was first detected in June 2017 and is currently being distributed by the Necurs botnet through a large spam email campaign primarily targeting .com and addresses. Emails appear to contain a scanned attachment and have been observed with subject lines including Scanned from Lexmark, Scanned from HP, Scanned from Canon, and Scanned from Epson. Scarab is delivered via a 7zip email attachment with VBScript that downloads and executes the ransomware. Scarab deletes shadow volume copies, appends the .[].scarab extension to encrypted files, and drops a ransom note named IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT in each folder where files have been infected. According to the note, the ransom amount depends on how quickly victims respond to the attackers.

Extensions appended to encrypted file names:

[].scarab, .JohnnieWalker, .REBUS, .osk, .DiskDoctor, .leen,, .deep, .bin2, .amnesia, .bomber, .BARRACUDA,, .CYBERGOD, .rent, .CRYPTO

1/31/2018: A new version, dubbed Scarabey, was first discovered in December 2017 and targets Russian users via RDP and manual installation on severs and systems. The ransom note is written in Russian and threatens that additional files will be deleted for every day that users do not pay the ransom.

5/18/2018: Two new versions of Scarab, dubbed Walker and Horsuke, were detected in May 2018. The Walker variant appends .JohnnieWalker to the names of encrypted files and creates a ransom note named HOW TO DECRYPT WALKER INFO.TXT. The Horsuke variant instructs victims to contact horsuke[@]nuke[.]africa for payment information.

  • Bleeping Computer provides additional information on Scarab here.

  • The NJCCIC is not currently aware of any free decryption tools available for Scarab.