Spotting and Stopping Scarab Ransomware

Scarab Email Campaign Volume
Scarab Email Campaign Volume

The Scarab ransomware strain recently kicked into high gear. On Nov. 23, more than 12.5 million malicious emails were sent out in just over six hours, and the campaign continues to thrive. The attack relies on Necurs, the internet’s top email spam botnet, to distribute high volumes of email and is built on the Hidden Tear open-source ransomware product.

Scarab targets email inboxes and tricks users into opening the message by claiming to contain a scan from a company printer. This tactic has been used in the past, most notably by the Locky strain. Here is an example of what one of these bogus emails looks like:

Email Claiming to Contain Scan by Company Printer
Email Claiming to Contain Scan by Company Printer

Once the ransomware has infected a computer, it encrypts all the files. A ransom note is also dropped into the affected directory with the title “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT.” Once users open the file, they are instructed that the amount of ransom they pay will depend on how quickly they offer payment. This is a copy of the message:

Scarab Please Read This Ransom Note
Scarab Please Read This Ransom Note

This is not the most sophisticated or aggressive threat we have ever seen, but because it relies on Necurs, its reach is broader than most. Ransom payments are to be made through an email-based payment system, but as in all cases of ransomware, it is better to reject the demands — better still to avoid the attack entirely.

How to Spot Scarab Ransomware

Fortunately, this attack has some telltale signs that make it relatively easy for users to spot:

  • Emails from Printers: Scarab tries to imitate a message sent from an in-house printer by using a subject line like “Scanned from Lexmark.” For the time being, this is the only “trick” Scarab relies on. Employees should begin treating these messages with extra caution.
  • Odd Subject Lines: Most companies change the subject line of printer-originated emails to reference the building or floor where the printer resides. Scarab emails refer only to the brand of printer. If a subject line is out of the ordinary or contains a printer brand (Epson, HP, Canon, etc.) that the company does not use, the message should immediately raise a red flag.
  • Bad Attachments: Inside the email is an attachment that actually contains the ransomware. In all cases, these attachments are named “image[random numbers].7z.” The extension refers to 7-Zip, so watch out for any attachment created in this underused program. The random numbers will look similar to a time stamp, but they will likely not match the current date, which is another sign that the attachment is fake.
  • Empty Body: Most automated messages sent from printers contain some kind of body text relevant to where and when the scan was initiated. The Scarab ransomware emails have no body text at all, which is a fairly unmistakable sign that something is fishy.
  • VBS Request: The final version of the ransomware is delivered through VBScript. If this is not activated on your computer, you will suddenly be asked to do so. There is no reason for a normal printer attachment to do this. Denying the request is the last line of defense.

How We Protect Against Scarab Ransomware

By just about every standard, this is not an advanced attack. But that does not mean it’s never effective. Remember that it takes only one user to grant access one time to infect an entire network and render massive amounts of data inaccessible.

Email users are advised to have their guard up, but with our solution, there is no reason these emails should reach the inbox at all. We offer multi-layer filtering that will pick up on some of the red flags mentioned above and identify an email as suspicious.

The strongest defense, however, is also one of the simplest. Our solution makes it easy to identify authorized Sender Policy Framework records — essentially, authenticated email servers. Scarab ransomware emails will claim to come from inside your company, but because the SPF record does not match the one you have identified yourself, we will immediately call it out as false. We provide detection, deflection, and protection against every trick Scarab ransomware has up its sleeve.

About SpamStopsHere

To find out more about SpamStopsHere, visit our product page, check out our simple pricing and start a FREE 30-Day trial, or contact us anytime via phone (800-458-3348 | 734-426-7500), chat or email. We're always here. 24/7/365.