The Scarab-osk virus is the newest descendant from the Scarab ransomware family. It follows the already established behavior tactics of the previous versions and renames the target data with the .osk extension. Its development shows that the computer hackers continue to base new threats using the base ransomware code and further modifications to it are expected.
|Short Description||The ransomware encrypts sensitive information on your computer system with the .osk extensions and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Scarab-Osk |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Scarab-Osk.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Scarab-Osk Virus – Distribution Ways
The newest release of the Scarab ransomware family has been released as the Scarab-osk virus version. At the moment the initial distribution campaign seems to be directed primarily against English speaking users. This shows that the attack waves are targeted and carefully planned before engagement. We expect to see numerous other campaigns carrying the same payload with various techniques.
One of the proposed mechanisms is the use of email SPAM messages that use various social engineering techniques in order to manipulate as many users as possible. The operators can use various text and graphics from well-known sites and services and use them as bait for computer users. The sent messages are disguised as legitimate messages and distribute the payloads either attached or directly hyperlinked in the body contents. The emails are also one of the primary mechanisms for payload delivery. There are two main types that are the most common:
- Software Installers — The computer hackers can bundle dangerous code into application installers of popular software such as creativity suites, productivity, system utilities and even computer games.
- Malware Documents — The other strategy is to embed the malware code into files of various types: rich text documents, spreadsheets and presentations. Usually a notification prompt is presented to the users asking them to enable the built-in macros (scripts). If this is done the infection follows.
Virus strains like this one can also be distributed with the help of browser hijackers that are dangerous plugins made for the most popular browsers. They are usually uploaded to the relevant plugin repositories using false developer credentials, user reviews and elaborate descriptions that attempt to fool the users into installing them. Theyusually redirect the victims to a hacker-controlled site and steal sensitive data from the victim hosts. Any malware actions, including the virus delivery, follow once the first stage of the behavior pattern is executed.
The Scarab-Osk virus can also be delivered using web scripts of different types that can also affect legitimate sites through ad and affiliate networks. This include the likes of redirects, pop-ups, banners and in-line hyperlinks.
Scarab-Osk Virus – In-Depth Analysis
The Scarab-Osk virus is the newest strain of the Scarab ransomware family. The code analysis reveals that it contains much of the behavior patterns that correspond to the previous versions.
It contains the same modular malware engine which can be tweaked according to the exact campaign. As such it can begin with an information gathering component that can hijack sensitive content from the affected devices. There are two primary types that are commonly distinguished:
- Private Data — It can be used to directly expose the victim’s identity. This is made possible by instructing the malware engine to harvest strings that may reveal the data. Examples include a person’s name, address, location, interests, passwords and account credentials.
- Campaign Metrics — Part of the hijacked information can be used to optimize the attacks. Such data includes information such as a profile of the installed hardware components and certain values from the operating system.
The collected data can then be fed to a stealth protection module which can protect the virus instance from detection and removal. It scans for the presence of anti-virus products, virtual machine hosts and sandbox environments. Advanced strains can be configured into deleting themselves if they are unable to process this step.
After this the virus has already been placed on the target system and the other follow-up components can be initiated. Usually Windows Registry entries are affected. Depending on the targets — user-installed applications or the operating system itself certain functions or services can fail to start properly. In addition overall performance can be affected. When the virus is deployed as a persistent threat the associated engine will deploy many additional modifications. This includes boot options by removing the ability to enter into the recovery boot menu. This also renders most manual recovery options non-working. In such cases we advise victims to follow our in-depth instructions and use a quality anti-spyware solution.
Furthermore the Scarab-Osk virus strain is capable of instituting a network connection with the hacker-controlled servers. If configured so this module can be used to spy on the victims in real time and take over control of their machines at any given time. This mechanism is also used for effective deployment of additional threats.
Additional modules can be loaded if the hackers configure the released strains in the appropriate manner. The deployed virus file can be modified in accordance to the predefined targets and the campaign in general.
Scarab-Osk Virus – Encryption Process
The Scarab-Osk virus uses the same complex encryption algorithm and cipher as used in previous versions of the family. It targets files based on a predefined list of target file type extensions:
The affected files have their names hashed using a preset algorithm and the .osk extension is applied to them. The associated ransom message is created in a HOW TO RECOVER ENCRYPTED FILES.TXT file which reads the following:
YOUR FILES ARE CRYPTED!
Your personal identifier
Your documents, photos, databases, saving in games and other important data were encrypted.
Data recovery requires a decryptor.
To receive the decryptor, you should send an e-mail to firstname.lastname@example.org
In the letter, indicate your personal identifier (see At the beginning of this document).
If I can not connect through the mail, I can not
* Register on the site http://bitmsg.me (online delivery service Bitmessage)
* Send an email to BM-2cUvL7bCPmMZc7QonNfrdLQesmpxX9Sr53 with your email and ID of the identifier
Next, you pay the cost of the decryptor. In the reply letter you will receive the address Bitcoin-purse, for which it is necessary to perform the transfer of money in the amount of 0,013 bitcoin ( 0,013 BTC ~ 100 $ ).
If you do not have bitocoins
* Create a Bitcoin purse: https://blockchain.info/en/wallet/new
* Acquire the Bitcoin crypto currency:
https://localbitcoins.com/buy_bitcoins (Visa / MasterCard, etc.)
https://www.bitcoin.it/wiki (instruction for beginners)
* Send 0,013 BTC to the address in the email address
When the money transfer is confirmed, you will receive a file decryption for your computer.
After starting the decryption program, all your files will be restored.
* Do not attempt to uninstall the program or run antivirus software
* Attempts to self-decrypt files will result in the loss of your data
* Decoders of other users are incompatible with your data, as each user unique encryption key
Remove Scarab-Osk Virus and Restore .osk Files
If your computer system got infected with the Scarab-Osk ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.