Scarab-XTBL ransomware virus has been labelled as a new version of Scarab crypto-malware. We discussed this cyber threat in November, 2017, and this infection was distributed very rapidly at that time. At one point, Necurs Botnet had sent approximately 12.5 million email letters, containing attachments with Scarab ransomware. The new version uses AES algorithm to encrypt users’ files, and inserts IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.txt file, featuring instructions for victims. The new variant is very similar to the original Scarab variant (Ransomware Attack Involving Scarab Malware Sends Over 12M Emails in 6 Hours).
Scarab-XTBL crypto-virus is a new version of Scarab and appends .xtbl extension to encrypted digital data
Creators of Scarab-XTBL virus have mentioned their email address ([email protected]). To this account, victims are supposed to send their personal identifiers, and the sent message will be as a confirmation that users are ready to pay for a decryption key. The exact ransom is not included in the text file, but will probably be announced during communication via emailing services. Victims of Scarab-XTBL crypto-malware can also send 2 encrypted files for free decryption. This is a common technique, used to convince victims that cyber criminals can actually decrypt digital data. However, you should not pay the ransoms extortionists are demanding.
All of the encrypted documents, photos and other types of files will feature .xtbl extension. If victims attempt to launch them, they will notice that their files are no longer usable. Researchers have associated the Scarab-XTBL crypto-virus with a file Win98.exe.
Surprisingly, its copyright is assigned to a legitimate company of RonyaSoft. Further analysis of the file revealed a comment: Extensible Associatewith Kek Addresses Rutinely Buttons. Furthermore, after the Scarab-XTBL crypto-virus runs in a computer, the ransom note will be immediately found on the desktops. This is named the same as the one Scarab ransomware added to victims’ computers. However, the email address has been changed. In the original Scarab virus, victims were instructed to contact [email protected] In the case of Scarab-XTBL malware, victims have to send emails to [email protected]
Is there any way to decrypt files that Scarab-XTBL virus has ruined?
Currently, we have not found a way to recover data, encrypted by the Scarab-XTBL ransomware. However, we never recommend victims to pay the demanded ransoms. Most of the cyber-criminals are only interested in profit. Therefore, after receiving demanded bitcoins, they might disappear, leaving victims without the promised decryption keys. By paying the ransom, victims are also encouraging hackers to continue on creating crypto-viruses. As long as these projects are going to be profitable, extortionists won’t stop.
If the Scarab-XTBL crypto-malware has not infected you, we have a couple of tips for protection. First of all, store your digital files in backup storages. In case the original files become encrypted, you will be able to recover them from an online storage service. On the other hand, you could store important files in your USB flash drive, but remember not to keep it plugged into your computer. Some ransomware infections are capable of encoding data in all connected devices.
How can Scarab-XTBL crypto-malware invade my PC?
The original Scarab virus was distributed with the help of Necurs botnet. It would not be surprising to learn that the same distribution methods are used to spread the new version, Scarab-XTBL infection. Therefore, we hope you will be careful while opening messages in your email accounts. Do not download attachments from suspicious sources. On the other hand, malvertising techniques could also be exploited for the purpose of delivering malicious payloads of this virus (How to Beat Malvertising).
Now, you must be wondering how this devious infection can be removed from your operating system. Scarab-XTBL crypto-virus can be either eliminated manually, or by using efficient anti-malware tools. If you do not have the skills to get rid of the malware on your own, we advise you to download Spyhunter and run a scan. It should reveal all malicious files, currently affecting your PC. As for the manual removal, you can find more information about it in this article.
The manual removal includes these steps:
- Rebooting your computer in Safe Mode (Enable Safe Mode with Command Prompt)
- Once Command Prompt launches, type in cd restore and press enter.
- Enter rstrui.exe and press enter again.
- Click “Next” in the Window which appeared.
- Select one of the Restore Points which would suggest a date before Magniber ransomware infected your device.
- Click “yes” to start a system restore.
Automatic Malware removal tools