A blog post created to show you how to properly remove the .scarab file extension ransomware, how to protect yourself from Scarab Ransomware infections and how to try and restore files that have been encrypted by it.
AES encryption algorithm is the cipher used by the ransomware infection, known as Scarab ransomware virus. This type of virus is from the file encryption kind, meaning that it scrambles the files on your computer after it infects it and then asks you to pay a ransom “fee” in BitCoin in order to get them back. The virus also adds the file extension .scarab to the encrypted files and a text file, named “IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT” which gives the victim instructions on how to make the payoff. If you are one of the victims of .scarab ransomware, we advise you to read this article.
|Short Description||Encrypts the important files on the infected computer and then asks it’s owner to pay a ransom to retrieve them.|
|Symptoms||Files are appended the .scarab file extension and are no longer openable. Added ransom note, named “IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT”.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by Scarab |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Scarab.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
.scarab Ransomware – Update November 2017
A new wave of e-mails that are distributing Scarab ransomware has been reported to be detected by malware researchers. The number of submissions on the website, created to assist victims with identifying ransomware ID ransomware has also risen in a masisve spike, like never before.
Scarab emails disguised as archives carrying scanned images from fake services and companies. The pattern of spam is very similar to the Necurs botnet spam campaign. These e-mails aim to deceive you that you are receiving e-mails coming directly from companies, such as Lexmar, HP, Canon, Epson and others. The e-mails themselves have been reported to contain a 7Zip type of archive which as a .vbs file in it. When this .VBS script is activated, it connects to a remote host, from which it downloads and runs an .exe executable type of file, which is the malicious file of Scarab ransomware. Here is how the e-mails look like, reported from researcher Brad at malware-traffic-analysis.net:
When the archive itself is opened, the Scarab ransomware virus may display the VBS (Visual Basic Script) file which is embedded within it. The file may have a name similar to the following:
In the event that you encounter such file, recommendations are to not open it under any circumstances.
Scarab Ransomware – Distribution Methods
In order to infect your computer, the cyber-criminals by Scarab ransomware, may engineer multiple different methods to slither the virus files. These methods include the usage of different tools such as:
- Exploit kits.
- Web injectors.
- Fake updates.
- E-mail spam messages.
- Malicious e-mail attachments.
- Infected software setups.
- Malicious macros.
All of these tools may result in spreading Scarab ransomware via:
- E-mail spam messages that pretend they contain a legitimate web link or an e-mail attachment.
- Fake setups uploaded on websites for a program which the victim is looking to download.
- Software activators, fake game cracks or other activation executables.
- Malicious web links posted as spam on forums, social media, etc.
Analysis of the .Scarab File Virus
When an infection with the Scarab ransomware virus happens, the unthinkable becomes reality. The first stage of activity of the virus on your computer is to prepare the PC for file encryption. It may initially connect to the command and control server of the cyber-criminals behind the virus. Then, the .scarab file virus may relay system information from the infected computer and uniquely identify it, using fuctions within it’s malicious executable. The malicious file of Scarab Ransomware is a random named .exe file and it may reside in various %SystemDrive% directories.
Besides the primary malicious file of this virus, a text file is dropped that has the ransom note message for the victim to read and pay the fee. It is named IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT and has the following contents:
*** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS ***
Your files are now encrypted!
—–BEGIN PERSONAL IDENTIFIER—–
—–END PERSONAL IDENTIFIER—–
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: [email protected]
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 5Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).
How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
‘Buy bitcoins’, and select the seller by payment method and price:
* Also you can find other places to buy Bitcoins and beginners guide here:
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
In addition to this, the Scarab ransomware does not stop there. The virus may also delete the shadow volume copies on your infected computer. This Is achieved by using the vssadmin command which the ransomware executes as an administrator:
Scarab Ransomware – Encryption Process
The encryption process of this virus is conducted via the AES encryption algorithm to encrypt the files and the base64 to rename them. To the encrypted files, the Scarab virus adds the file extension .scarab and they appear like the following:
Scarab ransomware targets specific files which it renders corrupt. These are documents, pictures, videos, audio files, archives and other files that are often used. The most targeted file types which are encrypted are the following:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com
Remove Scarab Ransomware and Restore Your Files
Scarab ransomware is no virus to underestimate and this is why we advise you to backup your files even if they are encrypted. Then you should remove the virus files by using the instructions below. Bear in mind that Scarab is the type of virus which may create multiple objects with functions that may damage your Windows if you try to delete it. This is why a ransomware-specific removal software is recommend to perform the removal of Scarab ransomware automatically.
To restore your files, you can try the alternative methods in step “2. Restore files encrypted by Scarab” below. They are specifically designed to help restore at least a potion of the data, at least until a free decrypter is released by security researchers.