Security Alert
Jonathan Crowe
Nov 2017

Alert: Massive New Scarab Ransomware Campaign

Photo by sarahtarno

Necurs, one of the biggest botnets in the world, is sending out over 2 million emails per hour delivering Scarab ransomware.

Key Details

  • Spam campaign blasts 12.5 million emails: The campaign is being powered by Necurs, the world's largest email spam botnet (previously responsible for distributing Locky ransomware and the Dridex banking trojan).
  • Emails disguised as scanned documents: With subject lines like "Scanned from HP" they're made to look like emails from office scanners.
  • Scarab is a typical ransomware variant: First spotted in June, Scarab is fairly run-of-the-mill, though initially very few security solutions detected it as malware. Currently there is no decryption tool available for recovering files encrypted by Scarab. 
  • Barkly blocked Scarab automatically, no updates needed: Despite an otherwise low detection rate from other security solutions, Barkly's Endpoint Protection Platform was able to block Scarab immediately.
  • empty
  • empty
  • empty
  • empty

Don't wait for your current security to catch up to new threats like Scarab. Find out how Barkly can protect your business.
Get protected

Necurs, the botnet previously responsible for spreading Locky ransomware and the Dridex banking trojan, is once again being used to blast out a massive ransomware campaign. This time around, the payload is Scarab ransomware, a variant first spotted by security researcher Michael Gillespie in June. 

Researchers at Forcepoint began tracking the campaign on November 23, recording over 12.5 million emails sent in the first four hours alone.


Scarab ransomware emails intercepted per hour. Source: Forcepoint

What the emails look like

According to MyOnlineSecurity, the emails are disguised to look messages from company copiers or scanners, with subject lines like the following:

  • Scanned from Lexmark
  • Scanned from HP
  • Scanned from Canon
  • Scanned from Epson

The emails contain 7-Zip attachments (a type of compressed file with the extension .7z), which have a .vbs file inside. When a user opens the attachment, that script serves as a downloader, fetching and launching the Scarab ransomware payload.

This is the same technique we saw previously when Necurs blasted out millions of emails distributing Locky ransomware in September.


Example of a spam email from the Scarab campaign. Source: Forcepoint

How Scarab ransomware works

Once running on a machine, Scarab encrypts files and appends ".[].scarab" to the file name.

The malware drops and automatically opens a ransom note file named "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT."


As others have pointed out, one thing that makes the ransom note peculiar is that it doesn't reference a ransom amount. Instead, it simply suggests the price depends on how quickly the victim writes to the attackers, either via email or Bitmessage.

In an attempt to make file recovery more difficult, Scarab deletes shadow volume copies. After encryption is complete it also deletes the original copy of itself. 

At this time, there is no way to recover files encrypted by Scarab other than restoring them from backup.

Blocking Scarab before it encrypts files

According to Bleeping Computer, Scarab is the fourth ransomware strain to be distributed by the Necurs botnet this year, after Locky, Jaff, and GlobeImposter. Necurs gives the malware it pushes sudden, global reach, which can be especially dangerous when that malware is relatively small and hasn't made it onto major antivirus radars. That was the case here with Scarab, which had a very low detection rate when the campaign first began. 

AV vendors scrambled to create signatures and update their protection, but with over 12 million emails carrying Scarab sent out in just four hours, for many of those recipients, such efforts likely came too late. 

Organizations looking to fill in the gaps in antivirus protection new ransomware campaigns like this expose are recommended to investigate the new layers of endpoint security being offered. Thanks to the use of machine learning models in analyzing file attributes and behaviors, for example, Barkly's protection was able to block Scarab immediately, without the need for any updating.


Whether this is an isolated campaign or Scarab continues to pick up volume and become a bigger headache remains to be seen. As long as Necurs continues distributing it, Scarab poses a widespread threat.  

What to do

  • Remind your users never to open attachments in emails they're not expecting.
  • Warn your users to specifically be on the lookout for emails disguised as scans from the office printer/scanner with .7z attachments.
  • If feasible, block .7z attachments with your firewall or email filtering.
  • Make sure your AV / endpoint security can block the following:
Scarab SHA-256 hash:
Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

See how Barkly blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.