Necurs botnet helps spread Scarab ransomware via spam emails

The developers of Scarab ransomware employ Necurs botnet for distribution

While the infamous Necurs botnet was staying silent for some time, on November 23, it came back sending 12.7 million spam emails in the first several hours. According to the analysts, they were used to spread Scarab ransomware virus. The crypto-malware campaign started its malicious activity at 7 in the morning and continued until 1.30 p.m.

Previously Necurs was spotted spreading the following computer infections:

  • Locky ransomware;
  • Dridex Banking Trojan;
  • GlobeImposter virus;
  • Jaff ransomware.

Spam emails: ransomware disguises under the deceptive name

The victims report that they have received a letter with the subject line “Scanned from [printer company name]” which contains a 7zip attachment. Once the credulous computer user clicks on it, the VBScript downloader connects to the network and drops %Application Data%\sevnz.exe file which is the executable of Scarab virus.

Note that the same delusional email name was used to trick gullible people in Locky campaign. Therefore, it was easy for the IT experts to track the links to Necurs botnet.

Cybersecurity analysts found out that the majority of the email letters were sent to the .com,,, .fr, .de, and .org addresses. In other terms, the most affected countries by Scarab ransomware are USA, UK, Australia, France, and Germany. However, it doesn’t indicate that computer users living elsewhere shouldn’t be cautious of the file-encrypting virus.

Scarab ransomware: encrypts data and asks for a ransom in exchange for recovering files

Scarab virus functions as any other ransomware — it encodes the most commonly used documents and files to swindle money from desperate computer users. Once it infects the system, the corrupted information is marked with a .[[email protected]].scarab file extension. Moreover, the folders containing the compromised data also possess a IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT file which serves as a ransom note.

Besides, Scarab modifies the registry entries to autostart every time the victim turns on his or her computer. The alterations are the following:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce;
  • uSjBVNE = “%Application Data%\sevnz.exe.

IT technicians noticed that the word support was misspelled both in the file extension and in the ransom message. Likewise, it is believed that there are numerous email addresses used by Scarab ransomware to collect the demanded money. Besides, the .txt file provides an alternative way to contact the criminals — BitMessage. It raises an assumption that the email address might soon become unavailable.

After the successful infiltration the Scarab ransomware proceeds with the following commands:

  • cmd.exe /c vssadmin Delete Shadows /All /Quiet;
  • cmd.exe /c wmic SHADOWCOPY DELETE;
  • cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures;
  • cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0.

Learn how to protect yourself from ransomware attacks

If you want to avoid not only Scarab virus but other ransomware as well, you should carefully monitor your browsing experience. It is important always double-check the files you attempt to install or emails you are going to open. Pay attention to the small details which indicate that the malicious program may hide inside — it can either be the unknown sender or a vague message. Despite what it says, avoid opening email letters from people you don’t know. Instead, delete them immediately.

Another great method to decrease the risk of malware infections is to do not get tricked to click on various advertisements. Note that they might appear as banners, in-texts or pop-ups. Usually, they also look genuine and offer great deals or effective system optimization tools. Do not fall into the trap of the hackers and never download software which is annoyingly pushed through ads.

Experts suggest using a professional antivirus system as well. It is important to update it regularly and scan the files you want to download beforehand. This way you will not only protect your system’s security from high-risk computer infections but also your privacy from banking trojans.



Posted in support.