A massive malicious email campaign that stems from the world’s largest spam botnet Necurs is spreading a new strain of ransomware at the rate of over 2 million emails per hour and hitting computers across the globe.
The popular malspam botnet Necrus which has previously found distributing Dridex banking trojan, Trickbot banking trojan, Locky ransomware, and Jaff ransomware, has now started spreading a new version of Scarab ransomware.
According to F-Secure, Necurs botnet is the most prominent deliverer of spam emails with five to six million infected hosts online monthly and is responsible for the biggest single malware spam campaigns.
Scarab ransomware is a relatively new ransomware family that was initially spotted by ID Ransomware creator Michael Gillespie in June this year, with its source code being based on an open source proof-of-concept ransomware called “HiddenTear.”
Massive Email Campaign Spreads Scarab Ransomware
According to a blog post published by security firm Forcepoint, the massive email campaign spreading Scarab ransomware virus started at approximately 07:30 UTC on 23 November (Thursday) and sent about 12.5 million emails in just six hours.
The Forcepoint researchers said “the majority of the traffic is being sent to the .com top-level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France, and Germany.”
The spam email contains a malicious VBScript downloader compressed with 7zip that pulls down the final payload, with one of these subject lines:
- Scanned from Lexmark
- Scanned from Epson
- Scanned from HP
- Scanned from Canon
As with previous Necurs botnet campaigns, the VBScript contained a number of references to the widely watched series Game of Thrones, like the strings ‘Samwell’ and ‘JohnSnow.’
The final payload is the latest version of Scarab ransomware with no change in filenames, but it appends a new file extension with “.[email@example.com].scarab” to the encrypted files.
Once done with the encryption, the ransomware then drops a ransom note with the filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” within each affected directory.
The ransom note does not specify the amount being demanded by the criminals; instead, it merely states that “the price depends on how fast you [the victim] write to us.”
However, Scarab ransomware offers to decrypt three files for free to prove the decryption will work: “Before paying you can send us up to 3 files for free decryption.”
Protection Against Ransomware
To safeguard against such ransomware infection, you should always be suspicious of any uninvited document sent over an email and should never click on links provided in those documents unless verifying the source.
Most importantly, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC in order to always have a tight grip on all your important files and documents.
Moreover, make sure that you run an active anti-virus solution on your system, and always browse the Internet safely.