Collaboration, transparency

Your Feed is from
CyberWisdom Safe Harbor Commentary on  Scarabey:
This story from gives a surprising look at Scarab ransomware discovered in June 2017. Since then, several varieties have been created and discovered in the wild. The most popular or widely distributed version is distributed through the Necurs botnet, originally written in Visual C. However, after unpacking, we found a different distribution of Scarabey, another variant found in December 2017, with different payload codes.
Like most ransomware, Scarabey’s goal is to require the victim to request Bitcoin payments after encrypting the files on the system. However, Scarabey was not distributed internally via the internal malspam as the original Scarab was, but was found to target Russian users and be distributed via RDP / manual distribution to servers and systems.
In addition, Scarabey does not seem to be included in any of the samples we encountered. Malicious code is written in Delphi, there is no Scarab C + + package, and the content and language of the ransom note vary.
Sample referenceSCARAB Original: e8806738a575a6639e7c9aac882374aeSCARABEY VARIANT: 9a02862ac95345359dfc3dcc93e3c10eRansom noteIn the case of victims, the main difference between the Scarabey and other Scarab ransomware lies in the language of ransom notes and intimidation used in encrypted information.
Different threatsIn the original Scarab version, it warned: the longer users wait, the higher the price.
On the other hand, for Scarabey, it tells users that they are waiting every day and that more and more files will be deleted until no more files are left for them to recover.
Essentially, criminals imply that they have a copy of the unencrypted file given to the user, or they control the victim’s computer to delete the file. This is not correct for the following reasons:
In addition to the totally unreasonable fact that sending every single file on the victim’s computer, there is no network feature that sends the file to the malware author as a ransom.There is no backdoor or remote access code in the Scarab or its variants, which makes the threat of deleting files on the victim’s computer impossible.According to our understanding, the decryption process is after the payment of the ransom, they will send you a decryption software loaded with a unique key. Then you can run the software and decrypt your files. This means that they have no way to limit decryption because it is done locally and offline.No part of the malware code deletes the user’s files from the computer.Specifically, in this message, you see that the author implies that the code was originally decrypted on the server side, which is untrue:
“Deleted 24 files every 24 hours. (We have their copy.)If you do not run the decryption program within 72 hours, all files on your computer will be completely erased and will not be recovered.
The malware author then gives the decryption step, which references the use of the decryption program sent to the victim after payment. Decryption software received after payment using the unique key will be locally decrypted File:
“- After starting the decoder, the file will be decoded in an hour. – Other users’ decoders are not compatible with each user’s dataUnique encryption key ”
The conclusion here is that the idea that authors can delete files by deleting files or malware is purely an intimidation method used to prompt users to remit money quickly.
Read more…
We’ve found that a variant of the Scarab ransomware, called Scarabey, is distributed via a different technique, with a different payload code, and a new target: Russia. Categories: Malware Threat analysis Tags: Necurs malspamransomwareransomware variantScarabscarabey (Read more… Engaging post, Read More…
thumbnail courtesy of
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post
The post Scarab ransomware: new variant changes tactics appeared first on Safe Harbor on Cyber.

Powered by WPeMatico

convert this post to pdf.
Be Sociable, Share!