{"id":2860,"date":"2024-09-25T20:12:40","date_gmt":"2024-09-25T20:12:40","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2860"},"modified":"2025-07-29T06:41:35","modified_gmt":"2025-07-29T06:41:35","slug":"scarab-sets-a-new-standard-for-rapid-fire-ransomware","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/scarab-sets-a-new-standard-for-rapid-fire-ransomware\/","title":{"rendered":"Scarab sets a new standard for rapid fire ransomware"},"content":{"rendered":"
\n
\"Scarab_beetle\"<\/figure>\n<\/div>\n\n\n

When it comes to \u2018scatter-gun\u2019 distribution methods, a ransomware strain discovered late last year is taking spray-and-pray to new heights. The latest variant of Scarab ransomware was discovered last November<\/a> and was clocked using the Necurs botnet to send 12.5 million spam emails in just six hours \u2013 more than 2 million spam emails per hour! \u00a0

Its primary targets were .com and .co.uk top-level domains, but domains in Australia, France, Germany and \u00a0New Zealand were also targeted. Despite its discovery last year, we witnessed the strain still being used to target victims on January 18, 2018.

Necurs is one of the world\u2019s largest botnets with between 5 and 6 million infected hosts online monthly. In the past, it has been used to distribute other ransomware strains, Locky being the most notable. Below is a list of malware campaigns Necurs has distributed:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n



Scarab\u2019s spam email contains a malicious VBScript downloader (md5: c3d641dc9dd08d592d66f8091ef76de4), compressed with 7zip which pulls down the final payload. The ransomware then drops the file: %Application Data<\/strong>%\\sevnz.exe<\/strong>

After this initial step, Scarab then proceeds to:

\u2022\u00a0\u00a0 \u00a0Create a registry entry as an autostart mechanism in order to maintain persistence

\u2022\u00a0\u00a0 \u00a0Scan all drives to check file extensions\u00a0

\u2022\u00a0\u00a0 \u00a0Read and encrypt all files using AES encryption with the .scarab extension\u00a0

\u2022\u00a0\u00a0 \u00a0Delete volume shadow copies, system backups and remove Windows recovery mode

Once installed and executed on the victim’s computer, Scarab connects to a website that provides the attacker with the victim’s IP address and other machine information so tabs can be kept on the victim\u2019s machine.

Once encryption is complete, the ransomware drops a ransom note with the filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT<\/em>” within each affected directory.

File details<\/strong><\/p>\n\n\n\n

File type<\/td>Portable executable (.exe) file<\/td><\/tr>
Md5 hash<\/td>9a02862ac95345359dfc3dcc93e3c10e<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static Analysis<\/strong>

Static analysis uncovered a number of attributes that give away the sample\u2019s malicious nature, including checks for free disk space, virtual environment detection, startup process checks, windows command line access, and attempting to connect to the internet:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Dynamic analysis<\/strong>

After executing the sample in a dedicated virtual environment, we were able to follow Scarab\u2019s infection process step-by-step. The chain outlined below gives a high-level description of the processes initiated during infection:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

When we executed the sample “sevnz.exe”, it initiates “mshta.exe” which copies the file “sevnz.exe” to the location “%Application Data%\\sevnz.exe”.

Next, “cmd.exe” is initiated which launches “wmic.exe” \u2013 the latter of which deletes system backups.

A second instance of “cmd.exe” also starts up with the child process “vssadmin.exe” \u2013 this is used to delete the system\u2019s volume shadow copies.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After all these processes have been executed, sevnz.exe and mshta.exe continue running and remain persistent.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Ultimately, all data present in the victim machine is encrypted with the .scarab extension. Below is the ransom note as seen by the victim (the version we uncovered appears to be in an unsupported Cyrillic script):<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The text file containing the ransom message is also dropped in various other locations:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Sevnz.exe is also replicated into the following location which ensures it remains running across system reboots, encrypting data continuously. This feature means we weren\u2019t able to capture malware artifacts such as pcap, further files\/malware dropped, etc.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Below is the registry entry created at autostart:

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceuSjBVNE = “%Application Data%\\sevnz.exe<\/em><\/p>\n\n\n\n

Indicators of compromise<\/strong>

VBScript Downloader: c3d641dc9dd08d592d66f8091ef76de4<\/em>

Malware sample analyzed: 9a02862ac95345359dfc3dcc93e3c10e<\/p>\n\n\n\n

Mitigation<\/strong>

As with most ransomware strains, Scarab relies on the victim opening a weaponized attachment. Exercise caution when receiving any emails from unknown senders and do not open attachments or follow links without first verifying the email\u2019s source.

It is also important to routinely back up important files to external storage devices to ensure you\u2019re able to restore your files from a saved version in the event you fall victim to ransomware.<\/p>\n","protected":false},"excerpt":{"rendered":"

When it comes to ‘scatter-gun’ distribution methods, a ransomware strain discovered late last year is taking spray-and-pray to new heights. The latest variant of Scarab ransomware was discovered last November and was clocked using the Necurs botnet to send 12.5 million spam emails in just six hours – more than 2 million spam emails per […]<\/p>\n","protected":false},"author":1,"featured_media":2871,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2860","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2860"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2860\/revisions"}],"predecessor-version":[{"id":4317,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2860\/revisions\/4317"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2871"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}