Scarab-Deep Ransomware

Scarab-Deep Ransomware is malware that comes from the Scarab family. Our malware experts have found that this malicious infection is a variant of Scarab-Bomber Ransomware, and a removal guide for this threat already exists on this website. In this report, we focus on the elimination of the new variant, as well as the malicious banking Trojan that appears to be downloaded along with it. By downloading this Trojan, the malicious ransomware has stepped into the big leagues. To have a file-encrypting threat invade the operating system is bad enough, but to have additional malware slither in leads to more issues. This is the reason why victims should never assume that their operating systems are clear as soon as they erase the malware they are aware of. If you continue reading, you will learn how to remove Scarab-Deep Ransomware and ClipBanker (the Trojan), as well as how to inspect the operating system for malicious leftovers and how to keep it malware-free in the future. Keep reading if you are interested.

Spam emails are most likely to be used for the distribution of Scarab-Deep Ransomware. Other methods could be employed, but it is likely that you have executed the infection by opening a corrupted file sent to you along with a misleading message. Once executed, the threat creates a file in the %APPDATA% directory (the sample we tested was called “deep.exe”), but it should be automatically deleted as soon as the threat encrypts all files. Scarab-Deep Ransomware also drops two copies of the malicious banking Trojan, ClipBanker. One copy is created in the %TEMP% directory, and the other one is created in the %APPDATA%\Microsoft\Windows\ folder. The name of the first copy should be random, but the second should be named “updlive.exe.” A point of execution should also be created in the HKEY_USERS\S-1-5-21-563032844-4108150345-4119072607-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN registry for this file. Needless to say, you want to remove these malicious components; otherwise, you could become a victim of banking fraud. If you do not want cyber criminals using ClipBanker to potentially steal your money, you want to delete this malware as soon as possible.

Let’s go back to the malicious Scarab-Deep Ransomware. It is most likely that you will realize that this malware exists once your background is changed and a text file is created. The background image is replaced with the one that displays a short message, as well as the mrdeep@protonmail.com email address. According to our research team, this address has been associated with Dharma Ransomware, another malicious infection, in the past. The same email address is also introduced to all victims of the ransomware via the text file named “HOW TO RECOVER ENCRYPTED FILES.TXT”. Copies of this file should be created everywhere on your operating system. According to the message inside, you need to email a special ID number. Although the message declares that decryption is free, in fact, you can have only 3 files decrypted for free. To recover the rest of them, you would have to pay for a decryption key. We do not recommend wasting your money on this. Cyber criminals are unlikely to provide you what you need to get your files decrypted. Hopefully, even if your most valuable personal files have the “.deep” extension – which is how you can recognize the encrypted files – you can restore them from backup.

The instructions you can find below show how to delete Scarab-Deep Ransomware and the banking Trojan manually. Unfortunately, we cannot guarantee that you will be able to eliminate the malicious infection successfully because you might be unable to find the original launcher file. What if manual removal is not an ideal option for you? You should not panic because anti-malware software can help you. In fact, installing this software is something that all users should do. Why? For one, it can automatically remove Scarab-Deep Ransomware, the banking Trojan, and other threats that might exist. Furthermore, it can ensure full-time protection, and that is the most important thing because you do not want to face ransomware, Trojans, and other kinds of malware again! If the removal process is clear for you, go ahead and clean your system. Use a legitimate malware scanner to check for leftovers. If you have questions for our research team, use the comments section to continue the discussion.

Scarab-Deep Ransomware Removal

1. Delete the {random name} launcher of the ransomware. It could be placed anywhere.
2. Simultaneously tap Win+E keys to launch Windows Explorer.
3. Enter %TEMP% into the field at the top to access the directory.
4. Delete the {random name}.exe file that belongs to a Trojan.
5. Enter %APPDATA%\Microsoft\Windows\ into the field at the top.
6. Delete the file named updlive.exe.
7. Enter %USERPROFILE% into the field at the top.
8. Delete the file named HOW TO RECOVER ENCRYPTED FILES.TXT.
9. Delete the remaining copies of the file in step 8 in random folders and directories on the computer.
10. Simultaneously tap Win+R keys to launch RUN.
11. Enter regedit.exe into the dialog box and click OK.
12. Move to HKU\S-1-5-21-563032844-4108150345-4119072607-1000\Software\Microsoft\Windows\CurrentVersion\Run.
13. Delete the {random name} value that points to the ransom note file in step 8.
14. Also, Delete the updlive value that is linked to one of the Trojan’s copies.
15. Empty Recycle Bin and then install a trusted malware scanner to check for leftovers.

N.B. If you are not sure about the files you are deleting, do not. You do not want to eliminate the wrong files by mistake.