Scarab Ransomware - How to remove

It has been recorded that a new type of ransomware dubbed “Scarab Ransomware” is being distributed in massive numbers right now. Distribution of this ransomware is carried out by the malspam campaign and the Necurs botnet is employed to pull this out. Even though the exact number is still unknown, it is clear that way over 10 million malicious emails have been sent on this date already and the number is still rising. Cybercriminals behind this virus managed to send over 3 million emails in a timespan of only 4 hours, that’s really impressive. Based on the way this virus is being distributed, it kind of reminds of Jaff ransomware infection.

What’s special about Scarab ransomware

If you think this Scarab ransomware is something new, you’re wrong – it was first discovered back in June, by cybersecurity researcher Michael Gillespie. So why we are reporting it only now, a few months later? Mostly because of the fact that it was not really active to this date. Now, it is a little bit modified and the final version of it is even more dangerous.

Speaking of the distribution – the payload of this virus comes as an attachment to the email with a subject “Scanned from *random company name*”. Several pictures and a .zip file are likely to be attached to it. To open that attached .zip file is all it takes to user to get infected. After that, a payload will automatically be dropped on a computer and malicious files downloaded afterward.

Once Scarab virus is inside, encryption process will begin automatically – unique extension.[[email protected]].scarab will be added to the end of every personal file stored on a computer, making them worthless. It is not known what kind of cryptography is employed by Scarab, yet either way, there is no tool to decrypt those files at the moment.

As usual, after the encryption, Scarab ransomware will create ransom note called “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” and place it in every folder with encrypted files and on the desktop as well. Original text from the ransom note:

*** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS ***
Your files are now encrypted!
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: [email protected]
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).
|  How to obtain Bitcoins?
| * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
|   ‘Buy bitcoins’, and select the seller by payment method and price:
|   hxxps://localbitcoins.com/buy_bitcoins
| * Also you can find other places to buy Bitcoins and beginners guide here:
|   hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins
| Attention!
| * Do not rename encrypted files.
| * Do not try to decrypt your data using third party software, it may cause permanent data loss.
| * Decryption of your files with the help of third parties may cause increased price
|   (they add their fee to our) or you can become a victim of a scam.

The unseen technique used by this ransomware – they don’t reveal the amount of ransomware and instead of that inform users that the amount of ransomware directly depends on how fast user will contact cybercriminals via email [email protected].

We suggest not to do that because you can simply get scammed. We have recorded multiple occasions when users are ignored after paying the ransom.

The virus was first discovered back in June 2017 and has been active since then, with the most active month for infections being November. However, it seems like in December of 2017 cybercriminals changed tactics and updated Scarab. In fact, they even changed the name a bit – now it is dubbed Scarabey virus. It seems that this new version of the notorious virus is targeted specifically to Russian speaking audience.

However, both viruses are almost identical, besides the name, file names and ransom note, which in Scarabey case is written in Russian. It seems like the Scarab virus was also written by someone who speaks Russian as a native language and translated into English with some grammatical errors. This is the Russian version ransom note translated into English:

Good afternoon. Your computer has been infected with Scarabey. All data is encrypted with a unique key, which is available only to us.
Without the unique key – files can not be restored.
24 files are deleted every 24 hours. (we have copies of them)
If you do not run the decryption program within 72 hours, all the files on the computer are completely deleted, without the possibility of recovery.
Read carefully how to recover all encrypted data.

Also, in Scarabey version, the extension added to files after the encryption is a little bit shortened – now it is only “scarab” instead of “[[email protected]].scarab “.

Versions of Scarab virus

How to deal with Scarab/Scarabey virus

Usually, the best way to deal with ransomware is to simply set your computer to a previous date. However, in this case, it is not possible because Scarab executes a command to disable recovery feature on Windows System. That means the only possible way to recover your files is to restore them from a backup that was stored on an external hard drive or cloud, following our system restore instructions. However, if you don’t have such file, this action will be not possible.

Even though after the encryption Scarab ransomware should automatically uninstall itself, there are chances that some malicious files associated with this infection will be still left on your computer. Obviously, they have to be removed and the best way to do that is to download reliable anti-malware application, such as Spyhunter and scan your computer with it. Either one of those tools will automatically eliminate all malicious applications from your computer and also protect the system from similar viruses in the future.

Please note that no anti-malware tool will be able to decrypt files locked by Scarab ransomware – it is only used to remove malicious files from a system.

How to recover Scarab Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Scarab virus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Amnesia

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Bitcoin. You can check other tools here.  

Step 3. Restore Bomber affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Crypt000 tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Crypto encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal