Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Necurs becomes Active again by Thrusting Scarab Ransomware Outbreak


Forcepoint Security Labs has noted ransom software named "Scarab" that's getting spread from Necurs the notorious network-of-bots. The huge spam mail campaign began about 7:30 UTC while was running even on November 25 at 13:30, with an aggregate of 12.5m-and-more e-mails hacked hitherto.


The first time Scarab was detected it was June 2017 and the discoverer was Michael Gillespie who created ID Ransomware, the service which lets end-users submit to it any ransom note for determining the ransomware which contaminated them. Cyber Security Company F-Secure says the code of Scarab is created with HiddenTear the proof-of-concept of iransomware of open-source kind.


According to Forcepoint's security researchers, Web-traffic in the maximum volume is getting dispatched to .com TLD. Nevertheless, following the .com top-level domain was TLDs for specific regions such as Germany, France, Australia and UK. Security Affairs posted this, November 25, 2017.


Having subject line "Scanned from (name of printer company)", the e-mail utilizes the theme which Locky ransomware attacks earlier used when distributed through Necurs. There's one 7zip attachment inside the e-mail having one VBScript downloader.


Like a typical Necurs e-mail containing a very small text body on topics of business matters, within the current instance, it indicates the attachment has copies of scanned papers. Most frequently used subjects show "Scanned from..." Epson, Cannon, HP alternatively, Lexmark added.


Suppose the downloader is executed while Scarab planted, the ransomware encrypts files to which it adds one fresh extension that reads [suupport@protonmail.com].scarab. The extension's e-mail id portion is exactly like contact electronic mail address given inside the ransom message.


A file, which the ransomware thrusts, is named %Application Data%\sevnz.exe following which the ransomware makes one registry entry which functions like one auto-start mechanism. When the file is installed the process of file-encryption starts, with the encrypted files having the extension ".[suupport@protonmail.com].scarab". Every directory with the encrypted files by default obtains a ransom message having the filename "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT."


The wrongly-spelled word 'support' exists within the altered filenames as well as the ransom message, while expectedly follows from the e-mail ids available inside Protonmail service, according to Forcepoint.

» SPAMfighter News - 30-11-2017

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page