A new version of Scarab ransomware virus has been reported to encrypt the files on the infected computers, adding the .scorpio file extension and the e-mail Help-Mails@Ya.Ru as a contact address. More to it, the virus still uses the same ransom note, named “IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT”.
In it, the virus demands to e-mail a personal identification code to the cyber-criminals’ e-mail and then pay in BitCoins for the decryption of the files. If you have become a victim of the .Scorpio ransomware virus, we recommend that you focus on reading this article thoroughly.
|Short Description||Encrypts the files on the compromised computer asking it’s owner to pay in BitCoin in order to get them back.|
|Symptoms||The files encrypted with the .scorpio file extension added after them. The ransom note remains the same as with the .scarab file virus.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by Scorpio |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Scorpio.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does Scorpio Ransomware Infect
The infection process of Scorpio ransomware is constructed in a way that may involve multiple tools and methods to infect your computer while remaining unnoticed. These tools are usually different software and kits, such as:
- Exploit kits.
- Web injectors.
- Fake updates.
- Malicious e-mail templates.
- Fake Windows updates.
- Infected setups of software.
- Macros with malicious code.
These tools may result in spreading the Scarab ransomware virus via the following types of methods:
- Fraudulent system setups which are uploaded on different types of websites instead of a program you are looking to download from them for free.
- Fraudulent software activators, game cracks or other license activation software uploaded as torrent or on crack sites.
- Web link objects that may be spammed as comments on sites.
.Scorpio File Ransomware Analysis
The Scorpio infection is not here to mess around. Once the virus is activated it immediately gets down to business and begins the malicious activity on the compromised device. The .scorpio file virus may transfer data from the computer that has been infected directly to the third-party hosts it may connect to. This is done via pre-configured functions in it’s malicious executable file, which may have a totally random name and is located in one of the %SystemDrive% folders.
Besides the malicious files, other system files on the compromised computer may also be attacked, resulting in the medication of Windows settings and further malicious activities. Among those may be the complete deletion by the .scorpio virus of the Shadow Volume Copies on the infected computer, via an administrative command inserted in Windows Command Prompt, called vssadmin:
The command is usually inserted in administrative mode which makes it possible for the virus to execute it in quiet mode without you noticing anything.
In addition to this, the .scorpio malware also makes sure the victim sees It’s ransom note, which has the following contents:
*** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS ***
Your files are now encrypted!
—–BEGIN PERSONAL IDENTIFIER—–
—–END PERSONAL IDENTIFIER—–
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: email@example.com
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 5Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).
How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
‘Buy bitcoins’, and select the seller by payment method and price:
* Also you can find other places to buy Bitcoins and beginners guide here:
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The Encryption Process of Scorpio Ransomware
For the encryption procedure, .scorpio file virus uses the Advanced Encryption Algorithm, also known as AES cipher. Then it uses base64 for the renaming of the files, adding the .scarab file extension along with the e-mail Help-Mails@Ya.Ru in the process. The files are completely unrecognizable after encryption and they look like the following:
The files which are encrypted are not every file on your PC. The Scorpio ransomware rather focuses on specific files that are used very often, like the following file extensions:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com
The Scorpio virus is very careful not to delete system Windows files so that your OS is functioning properly. This is why the virus skips system folders for the encryption process.
Remove Scorpio Ransomware and Get Your Data Back
If you want to remove Scorpio ransomware virus from your computer, we strongly suggest that you focus on backing up the encrypted files beforehand. This will ensure that the files you have backed up are available in the future for when a decrypter comes out.
Then, you can follow the removal instructions below. They are divided in manual and automatic. Since .scorpio file virus may interfere with multiple system file types, we recommend that you remove the virus automatically. Malware research experts outline a ransomware-specific anti-malware software as the best and fastest solution to ransomware viruses, like the Scorpio infection.
If you want to restore your files, do not despair. Even though there is no free decryptor at the moment, we are monitoring the situation, so make sure the check this article often. In the meantime there is an alternative – we have gathered some methods below in step “2. Restore files encrypted by Scorpio” below. They may not be 100 percent effective, but may surely result in the recovery of at least some of your data.