Security researchers at the Austin based Anti-virus software firm Forcepoint have discovered a massive spam ransomware campaign in which the Scarab malware destroys all your files if you don’t pay the ransom, which is asked in Bitcoin.
The campaign was started on 23rd November while attackers have used the largest email spam botnet on the internet called Necurs for distributing malicious emails. Given the extraordinary scope of Necurs, within 6 hours of its launching, around 12.5 million emails were distributed. This means the botnet is sending out over two million messages per hour and all the 12.5 million emails contained ransomware.
Various security experts noticed a sudden hike in emailing activity on the web, but Forcepoint was the first to identify the new ransomware campaign. Scarab, however, isn’t a new malware as it has been used in a number of previous campaigns. This campaign primarily targets computers located in the US, UK, Germany, France, and Australia. Researchers observed that the ransomware code included references to popular HBO TV series Game of Thrones.
According to cybersecurity firm AlienVault’s security researcher Chris Doman, the Necurs botnet has remained one of the largest since its creation in 2012 while organized cybercriminals like those behind Locky and Dridex have used it so far, but Scarab comparatively isn’t that sophisticated and can be detected by almost all anti-virus programs.
“Scarab looks less sophisticated than some other ransomware, like Locky, and the usage of an e-mail based ransom payment system is very simple in contrast to its wide distribution,” noted Doman.
Security experts Ben Gibney and Roland Dela Paz from Forcepoint wrote in their blog that the payload Scarab was discovered in June and after installation, just like every other ransomware it also starts encrypting all the files before dropping the ransom note.
‘Once installed it proceeds to encrypt files. A ransom note with the filename “If You Want To Get All Your Files Back, Please Read This.Txt” is dropped within each affected directory,” read the blog post.
The ransom note reads: “Your files are now encrypted! You have to pay for decryption of Bitcoins. The price depends on how fast you write to us. After payment, we will send you the decryption tool.”
According to Forcepoint, fake scanned documents that contain actually infected files are being distributed in emails. It seems that these emails were produced through printers from renowned firms including HP, Lexmark, Epson and Canon to make them look genuine. When the recipient downloads and opens the attached 7zip file the malware takes control of the entire computer and threatens the victim to destroy all the files if the ransom is not paid.
Although Scarab is distributed at an astoundingly wide scale since it can be detected by a majority of anti-virus software, therefore, users will receive a warning message about the presence of infected files. On the other hand, those users who have become victims of this campaign can run anti-virus software in safe mode to remove the malware; but this isn’t a proven method.
Gibney and Dela Paz opine noted that nowadays even inexperienced hackers can pull off massive global ransomware campaigns only because they have the valuable services of Necurs type botnets at their disposal.
“It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns,” wrote the researchers in their blog. You can read more about this campaign on MyOnlineSecurity, F-Secure, and Forcepoint.
Top/Featured image via PixaBay/Geralt