Necurs, one of the biggest botnets in the world, is sending out over 2 million emails per hour delivering Scarab ransomware.
Spam campaign blasts 12.5 million emails: The campaign is being powered by Necurs, the world's largest email spam botnet (previously responsible for distributing Locky ransomware and the Dridex banking trojan).
Emails disguised as scanned documents: With subject lines like "Scanned from HP" they're made to look like emails from office scanners.
Scarab is a typical ransomware variant: First spotted in June, Scarab is fairly run-of-the-mill, though initially very few security solutions detected it as malware. Currently there is no decryption tool available for recovering files encrypted by Scarab.
Barkly blocked Scarab automatically, no updates needed: Despite an otherwise low detection rate from other security solutions, Barkly's Endpoint Protection Platform was able to block Scarab immediately.
Don't wait for your current security to catch up to new threats like Scarab. Find out how Barkly can protect your business.
Necurs, the botnet previously responsible for spreading Locky ransomware and the Dridex banking trojan, is once again being used to blast out a massive ransomware campaign. This time around, the payload is Scarab ransomware, a variant first spotted by security researcher Michael Gillespie in June.
Researchers at Forcepoint began tracking the campaign on November 23, recording over 12.5 million emails sent in the first four hours alone.
Scarab ransomware emails intercepted per hour.Source: Forcepoint
What the emails look like
According to MyOnlineSecurity, the emails are disguised to look messages from company copiers or scanners, with subject lines like the following:
Scanned from Lexmark
Scanned from HP
Scanned from Canon
Scanned from Epson
The emails contain 7-Zip attachments (a type of compressed file with the extension .7z), which have a .vbs file inside. When a user opens the attachment, that script serves as a downloader, fetching and launching the Scarab ransomware payload.
Example of a spam email from the Scarab campaign.Source: Forcepoint
How Scarab ransomware works
Once running on a machine, Scarab encrypts files and appends ".[firstname.lastname@example.org].scarab" to the file name.
The malware drops and automatically opens a ransom note file named "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT."
As others have pointed out, one thing that makes the ransom note peculiar is that it doesn't reference a ransom amount. Instead, it simply suggests the price depends on how quickly the victim writes to the attackers, either via email or Bitmessage.
In an attempt to make file recovery more difficult, Scarab deletes shadow volume copies. After encryption is complete it also deletes the original copy of itself.
At this time, there is no way to recover files encrypted by Scarab other than restoring them from backup.
Blocking Scarab before it encrypts files
According to Bleeping Computer, Scarab is the fourth ransomware strain to be distributed by the Necurs botnet this year, after Locky, Jaff, and GlobeImposter. Necurs gives the malware it pushes sudden, global reach, which can be especially dangerous when that malware is relatively small and hasn't made it onto major antivirus radars. That was the case here with Scarab, which had a very low detection rate when the campaign first began.
AV vendors scrambled to create signatures and update their protection, but with over 12 million emails carrying Scarab sent out in just four hours, for many of those recipients, such efforts likely came too late.
Organizations looking to fill in the gaps in antivirus protection new ransomware campaigns like this expose are recommended to investigate the new layers of endpoint security being offered. Thanks to the use of machine learning models in analyzing file attributes and behaviors, for example, Barkly's protection was able to block Scarab immediately, without the need for any updating.
Whether this is an isolated campaign or Scarab continues to pick up volume and become a bigger headache remains to be seen. As long as Necurs continues distributing it, Scarab poses a widespread threat.
What to do
Remind your users never to open attachments in emails they're not expecting.
Warn your users to specifically be on the lookout for emails disguised as scans from the office printer/scanner with .7z attachments.
If feasible, block .7z attachments with your firewall or email filtering.
Make sure your AV / endpoint security can block the following: