Scarabey Ransomware – How to Remove + Restore .scarab Files

Scarabey Ransomware – How to Remove + Restore .scarab Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to help you by explaining how to remove Scarabey ransomware virus from your computer system and how to restore .scarab encrypted files.

A new ransomware version of the notorious Scarab ransomware virus, calling itself Scarabey, which hit computer in the summer of last year has come back in a new iteration according to malware researcher going by the nickname vhioureas. The malware’s primary purpose is to render the files on your computer after it encrypts them no longer able to be opened until you pay a hefty ransom fee in order to get those files restored back to their original state. In the event that your PC has suffered an attack with the new variant of Scarab ransomware, we strongly advise you to remove this malware and try to restore .scarab encrypted files, preferrably by reading the following article.

Threat Summary

NameScarabey Ransomware
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the computers which are infected by it and then hold them hostageuntil the victim follows the instructions on it’s ransom note.
SymptomsThe Scarab ransomware infection leaves behind the files no longer openable with the .scarab file extension to them.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Scarabey Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Scarabey Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Scarabey v2 Ransomware – Infection Process

In order to infect victims, the new variant of Scarab ransomware aims to perform series of activities on the victim PC, primarily targeting the victims via an RDP dropping of files on victim’s computers as well as company servers.

Furthermore, the virus does not infect directly via samples as it is written in Dephi without the C++ encapsulation which means that the virus uses a more sophisticated method for evasion and detection.

Regarding the methods of infection, the malware may cause the infection via multiple different methods, the most likely of which are:

  • Via fake setups of programs.
  • Via fraudulent software cracks or license activators.
  • Via other fake programs available online.
  • Via documents that seem legitimate and are sent through spam e-mails as e-mail attachments.
  • Through web links sent as spam messages in comment sections or social media chats.

Scarabey v2 Ransomware – Analysis and Activity

Scarab Ransomware’s new version which has been created with more abilities to perform malicious activities on victim computers. The new variant can be recognized by it’s ransom note which leads experts to believe that may be translated via Google Translate from Russian to Engish. The ransom note, named englishTansRansomSCARAB.txt, provides the following message to victims:

Good afternoon. Your computer has been infected with Scarabey. All data is encrypted with a unique key, which is only with us.
Without a unique key – files can not be restored.
24 files are deleted every 24 hours. (we have copies of them)
If you do not run the decryption program within 72 hours, all the files on the computer are completely deleted, without the possibility of recovery.
Read carefully how to recover aII encrypted data.
You can restore files as follows:
1. contact us by e-mail:
Send your ID and 2 files, up to 1 mb each.
We decrypt them, to prove the possibility of deciphering.
also receive instruction on payment. (payment will be in bitcoin)
report your ID and we will turn off any deletion of files
(if you do not provide your ID, every 24 hours will be
deleted by 24 files. If you tell ID- we will turn it off) 5
2. pay and confirm the payment.
3. After payment receive a decoder. Which will restore your data and turn off the function of deleting files.
You have 48 hours to pay.
If you do not have time to pay for 48 hours, the price of decryption is increased by 2 times.
To recover files, without losses, and at a minimum rate, you must pay within 48 hours.
l For detailed instructions, please contact email:
-After starting the decoder, the files are decoded within an hour.
If you try to scan or decrypt the data yourself – you can lose your files forever.
Decoders of other users are incompatible with your data, as each user
unique encryption key
Your ID

In addition to this, several other changes are also introduced with this variant of the ransomware, making it more dangerous. While in the original version of the malware it claims that the longer the victim waits, the price of the ransom is likely to go up, the newer Scarabey version claims to directly delete 24 files each 24 hours, which is quite the motivator to pay the ransom. However, researchers were later able to establish that this is only a scare tactic by the cyber-criminals in order to get victims to pay the ransom faster.

When we take a look inside of the virus files, it quickly becomes evident that the Scarabey ransomware’s latest version is written in Delphi. Its initial course of action after the virus infects your computer is to check if it has been ran before on the infected computer by checking the parameters on the computer attacked by it.

The malware also checks if the following Windows registry key has been set on the attacked device:

→ Software\ILRTISo\idle

If it is running ofr the first time on the victim PC, the virus executes the following command in Windows Command Prompt as an administrator with the purpose to exist in the %Temp% directory under the name sevnz.exe:

→ cmd.exe /c copy /y C:\Users\virusLab\Desktop\9a02862ac95345359dfc3dcc93e3c10e.exe “C:\Users\virusLab\AppData\Roaming\sevnz.exe”

After doing so, the Scarabey ransomware virus runs a process which executes the file sevnz.exe, previously copied:

→ %AppData%\Roaming\sevnz.exe

After doing so, the malware opens the process cmd.exe via a JavaScript code which triggers a script. The script has been reported to be the following:

→ “mshta.exe “javascript:o=new ActiveXObject(‘Scripting.FileSystemObject’);setInterval(function(){try{o.DeleteFile(‘9a02862ac95345359dfc3dcc93e3c10f.exe’);close()}catch(e){}},10);””

This command aims to delete the process of the virus after it’s activity is complete. In addition to this, the new version of Scarab Ransomware has also been reported to directly delete the shadow volume copies on the infected computer system to prevent victims from recovering their data:

→ ActiveXObject(“WScript.Shell”);
cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0”
cmd.exe /c wmic SHADOWCOPY DELETE”
cmd.exe /c vssadmin Delete Shadows /All /Quiet”
cmd.exe /c bcdedit “
new ActiveXObject(“WScript.Shell”
cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP-keepVersions:0”
cmd.exe /cwmicSHADOWCOPYDELETE”0
cmd.exevssadminDeleteShadows /All/Quiet”
cmd.exe /c bcdedit /set {default} recoveryenabled No”,
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures”

Then, the Scarabey ransomware infection performs a rather sophisticated and clever activity which eliminates completely Windows’s file defense. The activities of this malware consist of shutting down processes that are important for Windows and that may prevent the malware from modifying (encrypting) the files on the compromised computer. However, most of these processes, if active and being ended, will be reactivated by Windows and this is why, the virus has a thread which “looks” for the processes which are reactivated over a short timespan and as soon as they run again, the malware shuts those processes down completely. The targeted Windows processes by Scarabey are the following:

→ agntsvc.exe

Scarabey Ransomware Virus – Encryption Process

The malware preforms a so-called encryption loop which is basically checking over and over again for a mutex which can stop it from encrypting, based on specific criteria. However, if such mutex is not found, the malware begins to perform the encryption by checking absolutely every folder and file, carefully avoiding files that are from the .dll and .exe file formats. When the Scarabey ransomware version performs the encryption procedure, the malware uses the AES encryption algorithm on the files which is with 256-bit strength and an AES-ALGO labeled function. The virus encrypts each file by using 16-characted blocks, which is normal as it’s running AES encryption and each of the 16 characted blocks from the file it encodes are 128-bit encrypted. In addition to this, the ransomware also performs another encryption activity whih is to apply CBS (Cipher Block Chaining). This is essentially linking the files one to another in order to link them into a chain to additionally make the decryption of those files more difficult. So if we were to explain this the simplest way is if you have file A and file B which is encrypted after file A, part of the code in file A serves as identification and initialization that the next block of encrypted data is located in file B. So to determine how to decrypt file B, you are obliged to look into file A’s code and investigate which is the next file.

But to decrypt the actual files is also next to impossible since, the algorithm itself also generates a unique decryption key which is assymetric and only paying the ransom can so far get you that key accompanied by a decryption software. However, if you come across your files to be encrypted with the .scarab file extension added to them, experts advise not to pay the ransom as:

  • You support their cyber-criminal operations.
  • They cannot guarantee that you will get your files back after paying.

How to Remove Scarabey Ransomware and Restore .scarab Encrypted Files

In order to make sure that this malware is permanently gone from your computer, you should follow the manual or automatic removal instructions down below. If you have the experience in removing ransomware manually, we advise you to focus on the first 2 steps from the manual removal and to look for the registry files which we have explained in the analysis part above. Otherwise, if you want a more automatic and faster solution and lack the expertise in malware removal, we urge you to download an advanced anti-malware program, which aims to automatically perform the removal operation of Scarab ransomware and secures your computer against future infections in real-time.

If you want to restore files that have been encrypted by this ransomware infection, we advise you to try out the alternative tools for file recovery down below in step “2. Restore files encrypted by .scarab Files Virus”. They may not guarantee fully that you will recover all of the files, but if you haven’t reinstalled your OS already, there is a good chance that you might just restore them.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share