This article has been created in order to help you by explaining how to remove Scarabey ransomware virus from your computer system and how to restore .scarab encrypted files.
A new ransomware version of the notorious Scarab ransomware virus, calling itself Scarabey, which hit computer in the summer of last year has come back in a new iteration according to malware researcher going by the nickname vhioureas. The malware’s primary purpose is to render the files on your computer after it encrypts them no longer able to be opened until you pay a hefty ransom fee in order to get those files restored back to their original state. In the event that your PC has suffered an attack with the new variant of Scarab ransomware, we strongly advise you to remove this malware and try to restore .scarab encrypted files, preferrably by reading the following article.
Threat Summary
Name | Scarabey Ransomware |
Type | Ransomware, Cryptovirus |
Short Description | Aims to encrypt the files on the computers which are infected by it and then hold them hostageuntil the victim follows the instructions on it’s ransom note. |
Symptoms | The Scarab ransomware infection leaves behind the files no longer openable with the .scarab file extension to them. |
Distribution Method | Spam Emails, Email Attachments, Executable files |
Detection Tool |
See If Your System Has Been Affected by malware
Download
Malware Removal Tool
|
User Experience | Join Our Forum to Discuss Scarabey Ransomware. |
Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
Scarabey v2 Ransomware – Infection Process
In order to infect victims, the new variant of Scarab ransomware aims to perform series of activities on the victim PC, primarily targeting the victims via an RDP dropping of files on victim’s computers as well as company servers.
Furthermore, the virus does not infect directly via samples as it is written in Dephi without the C++ encapsulation which means that the virus uses a more sophisticated method for evasion and detection.
Regarding the methods of infection, the malware may cause the infection via multiple different methods, the most likely of which are:
- Via fake setups of programs.
- Via fraudulent software cracks or license activators.
- Via other fake programs available online.
- Via documents that seem legitimate and are sent through spam e-mails as e-mail attachments.
- Through web links sent as spam messages in comment sections or social media chats.
Scarabey v2 Ransomware – Analysis and Activity
Scarab Ransomware’s new version which has been created with more abilities to perform malicious activities on victim computers. The new variant can be recognized by it’s ransom note which leads experts to believe that may be translated via Google Translate from Russian to Engish. The ransom note, named englishTansRansomSCARAB.txt, provides the following message to victims:
Good afternoon. Your computer has been infected with Scarabey. All data is encrypted with a unique key, which is only with us.
Without a unique key – files can not be restored.
24 files are deleted every 24 hours. (we have copies of them)
If you do not run the decryption program within 72 hours, all the files on the computer are completely deleted, without the possibility of recovery.
Read carefully how to recover aII encrypted data.
Scarabey
You can restore files as follows:
1. contact us by e-mail: Support56@cock.li
Send your ID and 2 files, up to 1 mb each.
We decrypt them, to prove the possibility of deciphering.
also receive instruction on payment. (payment will be in bitcoin)
report your ID and we will turn off any deletion of files
(if you do not provide your ID, every 24 hours will be
deleted by 24 files. If you tell ID- we will turn it off) 5
2. pay and confirm the payment.
3. After payment receive a decoder. Which will restore your data and turn off the function of deleting files.
You have 48 hours to pay.
If you do not have time to pay for 48 hours, the price of decryption is increased by 2 times.
To recover files, without losses, and at a minimum rate, you must pay within 48 hours.
l For detailed instructions, please contact email: Support56@cock.li
-After starting the decoder, the files are decoded within an hour.
If you try to scan or decrypt the data yourself – you can lose your files forever.
Decoders of other users are incompatible with your data, as each user
unique encryption key
Your ID
In addition to this, several other changes are also introduced with this variant of the ransomware, making it more dangerous. While in the original version of the malware it claims that the longer the victim waits, the price of the ransom is likely to go up, the newer Scarabey version claims to directly delete 24 files each 24 hours, which is quite the motivator to pay the ransom. However, researchers were later able to establish that this is only a scare tactic by the cyber-criminals in order to get victims to pay the ransom faster.
When we take a look inside of the virus files, it quickly becomes evident that the Scarabey ransomware’s latest version is written in Delphi. Its initial course of action after the virus infects your computer is to check if it has been ran before on the infected computer by checking the parameters on the computer attacked by it.
The malware also checks if the following Windows registry key has been set on the attacked device:
→ Software\ILRTISo\idle
If it is running ofr the first time on the victim PC, the virus executes the following command in Windows Command Prompt as an administrator with the purpose to exist in the %Temp% directory under the name sevnz.exe:
→ cmd.exe /c copy /y C:\Users\virusLab\Desktop\9a02862ac95345359dfc3dcc93e3c10e.exe “C:\Users\virusLab\AppData\Roaming\sevnz.exe”
After doing so, the Scarabey ransomware virus runs a process which executes the file sevnz.exe, previously copied:
→ %AppData%\Roaming\sevnz.exe
After doing so, the malware opens the process cmd.exe via a JavaScript code which triggers a script. The script has been reported to be the following:
→ “mshta.exe “javascript:o=new ActiveXObject(‘Scripting.FileSystemObject’);setInterval(function(){try{o.DeleteFile(‘9a02862ac95345359dfc3dcc93e3c10f.exe’);close()}catch(e){}},10);””
This command aims to delete the process of the virus after it’s activity is complete. In addition to this, the new version of Scarab Ransomware has also been reported to directly delete the shadow volume copies on the infected computer system to prevent victims from recovering their data:
→ ActiveXObject(“WScript.Shell”);
cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0”
cmd.exe /c wmic SHADOWCOPY DELETE”
cmd.exe /c vssadmin Delete Shadows /All /Quiet”
cmd.exe /c bcdedit “
new ActiveXObject(“WScript.Shell”
cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP-keepVersions:0”
cmd.exe /cwmicSHADOWCOPYDELETE”0
cmd.exevssadminDeleteShadows /All/Quiet”
cmd.exe /c bcdedit /set {default} recoveryenabled No”,
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures”
Then, the Scarabey ransomware infection performs a rather sophisticated and clever activity which eliminates completely Windows’s file defense. The activities of this malware consist of shutting down processes that are important for Windows and that may prevent the malware from modifying (encrypting) the files on the compromised computer. However, most of these processes, if active and being ended, will be reactivated by Windows and this is why, the virus has a thread which “looks” for the processes which are reactivated over a short timespan and as soon as they run again, the malware shuts those processes down completely. The targeted Windows processes by Scarabey are the following:
→ agntsvc.exe
isqlplussvc.exe
ncsvc.exe
msftesql.exe
sqlagent.exe
sqlbrowser.exe
sqlservr.exe
sqlserver.exe
sqlwriter.exe
oracle.exe
ocssd.exe
dbsnmp.exe
synctime.exe;
mydesktopqos.exe
agntsvc.exe
isqlplussvc.exe
xfssvccon.exe
mydesktopservice.exe
ocautoupds.exe
agntsvc.exe
agntsvc.exe
agntsvc.exe
encsvc.exe
firefoxconfig.exe
tbirdconfig.exe
ocomm.exe
mysqld.exe
mysqld-nt.exe
mysqld-opt.exe
dbeng50.exe
sqbcoreservice.exe
Scarabey Ransomware Virus – Encryption Process
The malware preforms a so-called encryption loop which is basically checking over and over again for a mutex which can stop it from encrypting, based on specific criteria. However, if such mutex is not found, the malware begins to perform the encryption by checking absolutely every folder and file, carefully avoiding files that are from the .dll and .exe file formats. When the Scarabey ransomware version performs the encryption procedure, the malware uses the AES encryption algorithm on the files which is with 256-bit strength and an AES-ALGO labeled function. The virus encrypts each file by using 16-characted blocks, which is normal as it’s running AES encryption and each of the 16 characted blocks from the file it encodes are 128-bit encrypted. In addition to this, the ransomware also performs another encryption activity whih is to apply CBS (Cipher Block Chaining). This is essentially linking the files one to another in order to link them into a chain to additionally make the decryption of those files more difficult. So if we were to explain this the simplest way is if you have file A and file B which is encrypted after file A, part of the code in file A serves as identification and initialization that the next block of encrypted data is located in file B. So to determine how to decrypt file B, you are obliged to look into file A’s code and investigate which is the next file.
But to decrypt the actual files is also next to impossible since, the algorithm itself also generates a unique decryption key which is assymetric and only paying the ransom can so far get you that key accompanied by a decryption software. However, if you come across your files to be encrypted with the .scarab file extension added to them, experts advise not to pay the ransom as:
- You support their cyber-criminal operations.
- They cannot guarantee that you will get your files back after paying.
How to Remove Scarabey Ransomware and Restore .scarab Encrypted Files
In order to make sure that this malware is permanently gone from your computer, you should follow the manual or automatic removal instructions down below. If you have the experience in removing ransomware manually, we advise you to focus on the first 2 steps from the manual removal and to look for the registry files which we have explained in the analysis part above. Otherwise, if you want a more automatic and faster solution and lack the expertise in malware removal, we urge you to download an advanced anti-malware program, which aims to automatically perform the removal operation of Scarab ransomware and secures your computer against future infections in real-time.
If you want to restore files that have been encrypted by this ransomware infection, we advise you to try out the alternative tools for file recovery down below in step “2. Restore files encrypted by .scarab Files Virus”. They may not guarantee fully that you will recover all of the files, but if you haven’t reinstalled your OS already, there is a good chance that you might just restore them.
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
Step 1: Scan for Scarabey Ransomware with SpyHunter Anti-Malware Tool
Ransomware Automatic Removal - Video Guide
Step 2: Uninstall Scarabey Ransomware and related malware from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it. To do that:
Step 3: Clean any registries, created by Scarabey Ransomware on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by Scarabey Ransomware there. This can happen by following the steps underneath:
Before starting "Step 4", please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.
Step 4: Boot Your PC In Safe Mode to isolate and remove Scarabey Ransomware
Step 5: Try to Restore Files Encrypted by Scarabey Ransomware.
Method 1: Use STOP Decrypter by Emsisoft.
Not all variants of this ransomware can be decrypted for free, but we have added the decryptor used by researchers that is often updated with the variants which become eventually decrypted. You can try and decrypt your files using the instructions below, but if they do not work, then unfortunately your variant of the ransomware virus is not decryptable.
Follow the instructions below to use the Emsisoft decrypter and decrypt your files for free. You can download the Emsisoft decryption tool linked here and then follow the steps provided below:
1 Right-click on the decrypter and click on Run as Administrator as shown below:
2. Agree with the license terms:
3. Click on "Add Folder" and then add the folders where you want files decrypted as shown underneath:
4. Click on "Decrypt" and wait for your files to be decoded.
Note: Credit for the decryptor goes to Emsisoft researchers who have made the breakthrough with this virus.
Method 2: Use data recovery software
Ransomware infections and Scarabey Ransomware aim to encrypt your files using an encryption algorithm which may be very difficult to decrypt. This is why we have suggested a data recovery method that may help you go around direct decryption and try to restore your files. Bear in mind that this method may not be 100% effective but may also help you a little or a lot in different situations.
Simply click on the link and on the website menus on the top, choose Data Recovery - Data Recovery Wizard for Windows or Mac (depending on your OS), and then download and run the tool.
Scarabey Ransomware-FAQ
What is Scarabey Ransomware Ransomware?
Scarabey Ransomware is a ransomware infection - the malicious software that enters your computer silently and blocks either access to the computer itself or encrypt your files.
Many ransomware viruses use sophisticated encryption algorithms to make your files inaccessible. The goal of ransomware infections is to demand that you pay a ransom payment to get access to your files back.
What Does Scarabey Ransomware Ransomware Do?
Ransomware in general is a malicious software that is designed to block access to your computer or files until a ransom is paid.
Ransomware viruses can also damage your system, corrupt data and delete files, resulting in the permanent loss of important files.
How Does Scarabey Ransomware Infect?
Via several ways.Scarabey Ransomware Ransomware infects computers by being sent via phishing emails, containing virus attachment. This attachment is usually masked as an important document, like an invoice, bank document or even a plane ticket and it looks very convincing to users.
Another way you may become a victim of Scarabey Ransomware is if you download a fake installer, crack or patch from a low reputation website or if you click on a virus link. Many users report getting a ransomware infection by downloading torrents.
How to Open .Scarabey Ransomware files?
You can't without a decryptor. At this point, the .Scarabey Ransomware files are encrypted. You can only open them once they are decrypted using a specific decryption key for the particular algorithm.
What to Do If a Decryptor Does Not Work?
Do not panic, and backup the files. If a decryptor did not decrypt your .Scarabey Ransomware files successfully, then do not despair, because this virus is still new.
Can I Restore ".Scarabey Ransomware" Files?
Yes, sometimes files can be restored. We have suggested several file recovery methods that could work if you want to restore .Scarabey Ransomware files.
These methods are in no way 100% guaranteed that you will be able to get your files back. But if you have a backup, your chances of success are much greater.
How To Get Rid of Scarabey Ransomware Virus?
The safest way and the most efficient one for the removal of this ransomware infection is the use a professional anti-malware program.
It will scan for and locate Scarabey Ransomware ransomware and then remove it without causing any additional harm to your important .Scarabey Ransomware files.
Can I Report Ransomware to Authorities?
In case your computer got infected with a ransomware infection, you can report it to the local Police departments. It can help authorities worldwide track and determine the perpetrators behind the virus that has infected your computer.
Below, we have prepared a list with government websites, where you can file a report in case you are a victim of a cybercrime:
Cyber-security authorities, responsible for handling ransomware attack reports in different regions all over the world:
Germany - Offizielles Portal der deutschen Polizei
United States - IC3 Internet Crime Complaint Centre
United Kingdom - Action Fraud Police
France - Ministère de l'Intérieur
Italy - Polizia Di Stato
Spain - Policía Nacional
Netherlands - Politie
Poland - Policja
Portugal - Polícia Judiciária
Greece - Cyber Crime Unit (Hellenic Police)
India - Mumbai Police - CyberCrime Investigation Cell
Australia - Australian High Tech Crime Center
Reports may be responded to in different timeframes, depending on your local authorities.
Can You Stop Ransomware from Encrypting Your Files?
Yes, you can prevent ransomware. The best way to do this is to ensure your computer system is updated with the latest security patches, use a reputable anti-malware program and firewall, backup your important files frequently, and avoid clicking on malicious links or downloading unknown files.
Can Scarabey Ransomware Ransomware Steal Your Data?
Yes, in most cases ransomware will steal your information. It is a form of malware that steals data from a user's computer, encrypts it, and then demands a ransom in order to decrypt it.
In many cases, the malware authors or attackers will threaten to delete the data or publish it online unless the ransom is paid.
Can Ransomware Infect WiFi?
Yes, ransomware can infect WiFi networks, as malicious actors can use it to gain control of the network, steal confidential data, and lock out users. If a ransomware attack is successful, it could lead to a loss of service and/or data, and in some cases, financial losses.
Should I Pay Ransomware?
No, you should not pay ransomware extortionists. Paying them only encourages criminals and does not guarantee that the files or data will be restored. The better approach is to have a secure backup of important data and be vigilant about security in the first place.
What Happens If I Don't Pay Ransom?
If you don't pay the ransom, the hackers may still have access to your computer, data, or files and may continue to threaten to expose or delete them, or even use them to commit cybercrimes. In some cases, they may even continue to demand additional ransom payments.
Can a Ransomware Attack Be Detected?
Yes, ransomware can be detected. Anti-malware software and other advanced security tools can detect ransomware and alert the user when it is present on a machine.
It is important to stay up-to-date on the latest security measures and to keep security software updated to ensure ransomware can be detected and prevented.
Do Ransomware Criminals Get Caught?
Yes, ransomware criminals do get caught. Law enforcement agencies, such as the FBI, Interpol and others have been successful in tracking down and prosecuting ransomware criminals in the US and other countries. As ransomware threats continue to increase, so does the enforcement activity.
About the Scarabey Ransomware Research
The content we publish on SensorsTechForum.com, this Scarabey Ransomware how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific malware and restore your encrypted files.
How did we conduct the research on this ransomware?
Our research is based on an independent investigation. We are in contact with independent security researchers, and as such, we receive daily updates on the latest malware and ransomware definitions.
Furthermore, the research behind the Scarabey Ransomware ransomware threat is backed with VirusTotal and the NoMoreRansom project.
To better understand the ransomware threat, please refer to the following articles which provide knowledgeable details.
As a site that has been dedicated to providing free removal instructions for ransomware and malware since 2014, SensorsTechForum’s recommendation is to only pay attention to trustworthy sources.
How to recognize trustworthy sources:
- Always check "About Us" web page.
- Profile of the content creator.
- Make sure that real people are behind the site and not fake names and profiles.
- Verify Facebook, LinkedIn and Twitter personal profiles.