Necurs bot well known for biggest single malware spam campaigns contains nearly 5 million infected bots, of which one million active each day. In the past, it is responsible for spreading various ransomware like JAFF Ransomware, banking trojan Trickbot now it is distributing Scarab Ransomware.
Distribution Scarab Ransomware
Ransomware distributed through Email campaigns subjected “Scanned from (Lexmark/HP/Canon/Epson)” contains .vbs script downloaders compressed with 7zip “image2017-11-23-(7 random digits).7z“.
According to Forcepoint telemetry analysis, major traffic is sent to .com and followed by country based TLD like United Kingdom, Australia, France, and Germany. They intercepted more than 12.5 million Emails.
Execution Scarab Ransomware
The visual basic script that presents in the zip file executes and downloads the sevnz.exe(Scarab Ransomware) and creates autostart entries in the registry.
Necurs now spreading Scarab (https://t.co/M8YD8SS98p).
Let's see if it will be more successful than Locky in past months…@BleepinComputer @demonslay335
cc @MalwareTechBlog pic.twitter.com/e9rPiem9BX
— MalwareHunterTeam (@malwrhunterteam) November 23, 2017
Once it executed it will encrypt the files and appends an extension .[[email protected]].scarab. Then once encryption completed it drops a Ransom note “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” and the ransom note to opens automatically.
Scarab disables default windows recovery options and also it deletes original copy of the file. Sadly at this time, there are no decryptors available for the scarab.
Attackers offerd Multiple way’s to communicate
1. Misspelled Support email address ([email protected])
2. Bitmessage at BM-2cTu8prUGDS6XmXqPrZiyXXeqyFw5dXEba
Common Defence’s to stay safe
- Don’t open the attachments that you are not expecting.
- Patch or Update your software.
- Use a reputable security suite.
- Download applications from Reputed sites.
- Stay strict with CIA Cycle.