On November 23, 2017, a new RansomWare outbreak called Scarab, (first discovered in June by Michael Gillespie, was being distributed to approximately 12.5 million email addresses in the first hours alone. The virus was sent to domains that were primarily .com addresses. It also found its way to other top level domain extensions like .co.uk, .com.au, .fr and many more.
As per the norm, these are unsolicited emails that contain the much used subject line, “Scanned from {printer company name}”. The email contains a 7zip attachment with a VBScript downloader.
Once the ransomware is installed (by means of VBScript caused by downloading the attachment) it proceeds to encrypt all data on the device. An extension, ‘.[suupport@protonmail.com].scarab’ is added to affected files. Within all affected directories there will then be a file with the name ‘IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT’.
When this file is opened, it further explains that your files have been encrypted “as a result of security” (rather ironic, isn’t it?) and a payment is, of course, demanded. In order to receive the decryption key (a code snippet that will un-encrypt the affected files), you are required to submit, via email, a personal identification number that is included in the ransom note. There is no set amount the cybercriminals are demanding. Instead, they inform you, when reading between the lines, that the faster you pay, the less you pay.
It remains to be seen whether or not this will become a prolonged attack, or remain a flash in the pan.
There is Good News About This RansomWare
The good news is that even though this virus has very wide distribution, most anti-malware software will detect it. In the event it is not discovered, immediately trash the spam email. Whatever you do, never download the attachment!
Should you have any further questions regarding RansomWare or any other security concerns, please don’t hesitate to contact us immediately.