A new ransomware strain or variant called Scarab is now being sent to users in a huge spam campaign. The Necurs botnet is powering and distributing this spam ransomware.
According to security personnel, Necurs is spreading the Scarab ransomware under the instructions of hackers.
The said dreaded botnet has already distributed several other types of malware, such as Locky and Dridex, as well as Jaff and GlobeImposter to thousands of users.
The said distribution consists of a huge spam campaign in the form of phishing emails.
Some threat actors have distributed more than 12.5 million emails via the Necurs botnet.
Huge Spam Deliverer
The Necurs program has been getting several new customers and, as such, the botnet is generating lots of business.
It is one of the biggest of such systems for delivering spam, responsible for infecting around five to six million of hosts in a single month.
The model of the Necurs botnet is such that it offers the complete chain for infecting its spam campaign targets. This includes sending spam emails along with malware attachments that can be downloaded.
It also includes hosting of payloads in case the website gets compromised.
Spread of Scarab Ransomware
The email phishing campaign of the Scarab ransomware started somewhere around 7.30 a.m. (GMT) last Thursday and continued to be distributed through the allotted time period.
Security officials from Forcepoint Security Labs detected the malware being distributed.
They were successful in blocking several million phishing emails before 11 a.m. The phishing campaign began during Thanksgiving and many security experts, including F Secure as well as Forcepoint, had reported the spam attacks.
About the Emails
The emails that were sent by the Scarab ransomware using the Necurs botnet come with the subject line “Scanned from” followed by the name of various printer developers, including HP and Canon.
The email also comes with seven zip attachments that contain VBScript downloaders.
These domains had already been compromised, and the threat actors used these compromised domains in their recent campaigns for hacking into millions of computers using the Necurs botnet.
The Scarab ransomware campaign is the latest among these attacks. Security officials have not noticed it in any earlier campaigns.
It seems to be a new strain of ransomware and was first noticed by security researchers in June of this year. The code for the Scarab ransomware relies on an open source program known as the Hidden Tear.
According to security experts, the major portion of the spam traffic was directed to the .com TLD.
After this, it was sent to TLDs of specific regions, including the U.K, France, Australia and Germany.
As was seen in other infamous campaigns from the Necurs botnet, the VBScript had several references to the Game of Thrones television series, especially referring to John Snow and Samwell Tarly characters.
How it Works
Renowned security researcher Michael Gillespie first spotted the Scarab ransomware, the new payload, in June of this year.
The ransomware drops a copy of itself when it is executed. After this, it produces registry entries, in the form of auto-start mechanisms.
After this is installed, the Scarab ransomware moves on to encrypting files with the extension of “.([email protected]).scarab” on the files that are affected.
Scarab Ransomware Note
After a directory is affected by the malware, the victim receives ransom notes saying that if they want to get their files back, they have to read some text.
The word “support” has been misspelled in the ransom notes as well as in the modified filename. This is due to the email addresses being availed in ProtonMail, an email communication service provider.
The ransom note does not offer any details of amount specifications. It just mentions that the price demanded will depend on the quickness with which the user or victim responds to the attack.
Once a file is executed, the Scarab ransomware automatically opens up this ransom note as well.
It has been seen that a number of malware campaigns have been using an email system for payment. One of the more infamous ones is the NotPetya ransomware attack, taking place in June of this year.
However, in such cases, the providers have been able to shut down the email addresses connected with the spam campaigns quite quickly.
As far as Scarab is concerned, hackers have already considered this step, as the ransom note comes with a second mechanism for contacting victims using BitMessage, in case the email address is shut down.