A new iteration of the Scarab malware family has been identified — the Scarab-virus. It is a classic example of a ransomware that has the ability to encrypt target data and extort the victims for a payment.
|Short Description||The Scarab-Please virus is malware strain of the Scarab family that encrypts target user data and extorts the victims for a ransom fee payment.|
|Symptoms||Computer users will be unable to access their data which is encrypted with the .please extension.|
|Distribution Method||Spam Emails, File Sharing Networks, Exploit Kits|
|Detection Tool|| See If Your System Has Been Affected by Scarab-please |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Scarab-please.|
Scarab-Please Virus – Infection Spread
The Scarab-Please virus as a customized strain of the Scarab malware family can spread itself using the same tactics.
A primary method is the use of email messages that usually employ social engineering tactics in order to coerce the intended victims into interacting with the dangerous code. The Scarab-Please threat can be inserted as a hyperlink by posing as sites and links of user interest. Usually this is done by taking the text and graphics of legitimate sites and using them in the messages. In other instances the malware can be directly delivered to the victims as file attachments.
Another mechanism used by the criminals is the use of infected documents that can be of different types: rich text documents, spreadsheets and presentations. They frequently pose as files of interest such as letters, contracts, invoices and enc. Once they are opened by the victims a notification prompts appears that asks them to enable the built-in macros (scripts). If this is done then the virus will be downloaded from a hacker-controlled site and installed on the infected computer.
Related payload delivery mechanisms also include the infection of software installers. They are made by taking the legitimate setup files from the vendors and modifying them to include the Scarab-please virus. The most popular targets remain system utility applications, creativity tools and computer games.
The Scarab-please virus code can be integrated to browser hijackers of different types. They represent malicious plugins made for the most popular web browsers: Mozilla Firefox, Google Chrome, Opera, Internet Explorer, Safari and Microsoft Edge. Their main goal is to redirect the victims to a hacker-controlled site by changing the application’s default settings (new tabs, search engine and home page). .
The threat can also be installed through the use of malware scripts such as banners, pop-ups or in-text links. They can also be frequently found on legitimate sites as well and online communities (forums and chats).
Internet users should be extremely careful as malware strains are frequently posted to hacker-controlled sites that impersonate legitimate vendors and well-known portals. This is also the case with file sharing networks like BitTorrent.
Scarab-Please Virus – Technical Data
The Scarab-Please virus strain is a customized version of the Scarab malware family and as such uses the same behavior patterns.
It is very possible that the updated versions includes newer functionality. Changes can be implemented in virtually all aspects of the virus execution. The hackers modify the initial infection engine by including a stealth protection mechanism. It scans the system for the presence of security software signatures (anti-virus products, virtual machine hosts & debugging environments) and bypass or entirely remove their real-time scan engines. Advanced virus strains can be programmed into deleting themselves to avoid detection.
When the Scarab-please virus has been deployed in full it can launch various modules including an information gathering one. It is usually programmed in advance and can gather two types of data:
- Anonymous Metrics — They are composed of data about the installed hardware components and the available software.
- Personal Data — The virus can be programmed into harvesting personal information from the compromised machines. The malware can be instructed into searching for specific strings related to the victim’s name, address, phone number, geolocation, interests and passwords.
A next step would be to cause dangerous system changes that can lead to a persistent state of execution. This makes it very difficult for the victims to delete the threat on their own without the use of a quality anti-spyware solution. The Scarab-pleases virus engine may delete the found shadow volume copies of affected data which will make data recovery very difficult, unless the users attempt to use a professional solution. Changes to the boot options and Windows Registry can remove the possibility of using various recovery options. Such changes can also impact other applications by causing performance issues or glitches while execution.
Scarab-Please Virus – Encryption Process
Once all relevant modules have completed execution the ransomware component in started. Like the previous Scarab malware samples it uses a built-in list of target file type extensions. Usually the most popular data is affected:
Once all files have been processed accordingly they are renamed with the .please extension. A ransomware note is produced in a HOW TO RECOVER ENCRYPTED FILES.TXT file that reads the following message:
All your files have been encrypted!
Dont worry, you can return all your files!
If you want restore files write on e-mail
1. [email protected]
2. [email protected] (if first email unavailable)
Send me your ID and 1-2 small encrypted files(The total size of files must be less than 1Mb (non archived)) for free decryption.
After that, I’ll tell you the price for decryption all files.
Dont try to use other decryptor tools because it will destroy your files.
Remove Scarab-Please Virus and Restore Your Files
If your computer got compromised and is infected with the Scarab-Please ransomware virus, you should have some experience with removing viruses before tampering with it. You should get rid of the ransomware fast before it can spread further on the network and encrypt more files. The recommended action for you is to remove the ransomware completely by following the step-by-step instructions written below.