Scarab Ransomware

Scarab Ransomware is yet another infection that employed AES (Advanced Encryption Standard) to encrypt data on the infected computers. A few other infections that have used this encryption cipher include AES-NI Ransomware, Spectre Ransomware, and Oled Ransomware. The distribution of this threat is not unique, and it is believed that it usually enters via corrupted spam emails, in which the installer is attached as a regular file. Unsecure RDP connections could be exploited to spread this piece of malware as well. Unfortunately, once it gets in, it is extremely aggressive. First of all, it creates a copy of itself, and so even if you delete the malicious launcher fast, you might not be fast enough. As long as the copy is active, the threat can perform encryption. Whether you are only interested in this malware for educational purposes or you are trying to remove Scarab Ransomware from your own PC, this report should answer many of your questions regarding this threat.

When Scarab Ransomware slithers in, it creates a copy in the %APPDATA% directory. During the analysis in our internal lab, the name of the copy was “sevnz.exe”, but it is random, and so it could be completely different in your case. A point of execution (POE) for this file is created, and its name has a random CLSID-type name. This POE can be found under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce. Once the ransomware is executed, and the encryption is complete, the POE is modified to represent the “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” file. Originally, the ransom note is placed in the %USERPROFILE% directory, but copies should be placed in all folders that have the encrypted files within them. Once these files are encrypted, they are given the “.[resque@plague.desi].scarab” extension. Although you can remove the extension from your file’s name, that is unnecessary because this action would change nothing.

The “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” file informs that your personal files stored on your PC were encrypted and that you can decrypt them only if you fulfill he demands introduced to you by the creator of Scarab Ransomware. It is stated that you must pay a ransom to get a decryptor, and in order to get it, you need to email your unique ID number (represented via the TXT file) to resque@plague.desi. A specific ransom is not revealed, and it is suggested that the sum depends on how quickly you email cyber criminals. Our research team has seen ransomware infections requesting anywhere from a few bucks to thousands of US Dollars. We do not advise paying the ransom, especially if the sum is high. While you can spare a few dollars in the hopes of getting your files back, wasting thousands can be very painful. Unfortunately, the chances of getting a real decryptor are very slim, and if you decide to pay the Scarab Ransomware ransom, you must be aware of the possibility that you are wasting your money.

When Scarab Ransomware encrypts your files, it also makes sure that the Shadow Volume copies are deleted. It employs the “vssadmin Delete Shadows /All /Quiet” command to take care of that. By doing this, the ransomware ensures that you cannot recover your files even if you had a system restore point set up. Basically, your only chance at getting your files restored is if they are backed up on an external drive or a storage cloud online. If that is not the case, you are facing a complete loss of your personal photos, media files, documents, and other data. If you want to avoid this in the future – and new ransomware threats emerge every single day – you need to start backing up your data as soon as possible. Note that if your files are backed up, you should not start replacing the infected copies with backups until the ransomware is removed.

The chances are that the malicious Scarab Ransomware deleted itself as soon as the encryption was complete. Nonetheless, you should check the %APPDATA% directory to see if a copy of the malicious launcher still exists. If you find the file, remove it immediately. Afterward, eliminate every copy of the ransom note file. If other infections exist, you need to eliminate them as well. You must not forget to install a malware scanner to check for leftovers as well. If you are facing problems regarding manual removal, remember that a legitimate anti-malware tool can erase all malicious files automatically.

Scarab Ransomware Removal

1. Right-click and Delete the [random name].exe launcher file (if it was not erased automatically).
2. Launch Explorer by tapping Win+E keys and then enter %APPDATA% into the bar at the top.
3. Right-click and Delete the [random name].exe file that is the copy of the launcher (if it was not erased automatically already).
4. Delete all copies of the IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT file.
5. Empty Recycle Bin and then perform a full system scan.