Massive email campaign spreads Scarab ransomware
In a similar fashion to the Jaff ransomware, Forcepoint Security Labs have observed another piece of ransomware called “Scarab” being pushed by the infamous Necurs botnet. The massive email campaign started at approximately 07:30 UTC and is active as of 13:30 today, totalling over 12.5 million emails captured so far.
The graph below shows the per-hour volume of Scarab/Necurs emails blocked by Forcepoint between 07:00 and 12:00 UTC:
Figure 1: Scarab/Necurs emails intercepted per hour
Based on our telemetry, the majority of the traffic is being sent to the .com top level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France, and Germany:
Figure 2: Target TLD distribution for Scarab malicious email
The email uses the subject “Scanned from {printer company name}” – a theme that is known to have been utilised for previous Locky ransomware campaigns distributed via Necurs. The email contains a 7zip attachment containing a VBScript downloader.
Figure 3: Sample malicious email
As has been previously observed in Necurs campaigns, the VBScript contained a number of Game of Thrones references, in particular the strings “Samwell” and “JohnSnow”:
Figure 4: 'Game of Thrones' references within malicious VBScript
The download domains used as part of this campaign were compromised sites which have previously been used by Necurs-based campaigns.
Scarab Ransomware
The payload itself - Scarab - is a relatively new ransomware family that was discovered in June by Michael Gillespie. In the particular variant observed being distributed today, the ransomware drops the following copy of itself upon execution:
%Application Data%\sevnz.exe
It then creates a registry entry as an autostart mechanism:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce uSjBVNE = "%Application Data%\sevnz.exe
Once installed it proceeds to encrypt files, adding the extension “.[suupport@protonmail.com].scarab” to affected files. A ransom note with the filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” (Figure 5, below) is dropped within each affected directory. The misspelling of "support" is present in both the modified filenames and the ransom note, and is presumably a result of the availability of email addresses on the Protonmail service.
Unusually, the note does not specify the amount being demanded, instead simply stating that "the price depends on how fast you write to us". This note is also automatically opened by the malware after execution.
Figure 5: Ransom message displayed by Scarab malware
The use of an email-based payment system has been observed in a number of campaigns already this year (most notably the NotPetya attack in June) and proven – for both the malware authors and victims – to be a potential single point of failure in the payment system, with providers often moving quickly to shut down the addresses associated with ransomware campaigns. In the case of Scarab, it appears that this possibility has been considered already, with the ransom note providing a secondary contact mechanism via BitMessage should the email address become unavailable.
When running, Scarab executes the following commands to disable default Windows recovery features:
cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
cmd.exe /c wmic SHADOWCOPY DELETE
cmd.exe /c vssadmin Delete Shadows /All /Quiet
cmd.exe /c bcdedit /set {default} recoveryenabled No
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
Finally, once the encryption process is complete, it deletes the original copy of itself.
Protection Statement
Forcepoint customers are protected against this threat via TRITON® ACE at the following stages of attack:
Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
Stage 5 (Dropper File) - Scarab variants are prevented from being downloaded.
Conclusion
By employing the services of larger botnets such as Necurs, smaller ransomware players such as the actors behind Scarab are able to run a massive campaign with a global reach. It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns.
Either way, as we noted in our recent 2018 Security Predictions, we can expect ransomware to continue to make up a significant portion of the threat landscape for some time to come.
As always, Forcepoint Security Labs will continue to monitor developments to this threat and provide updates as necessary.
Indicators of Compromise
VBScript SHA-256
c7e3c4bad00c92a1956b6d98aae0423170de060d2e15c175001aaeaf76722a52
Scarab SHA-256
7a60e9f0c00bcf5791d898c84c26f484b4c671223f6121dc3608970d8bf8fe4f
Download locations
hard-grooves[.]com/JHgd476? pamplonarecados[.]com/JHgd476? miamirecyclecenters[.]com/JHgd476?