November 23, 2017

Massive email campaign spreads Scarab ransomware

Ben Gibney Security Researcher
Roland Dela Paz Security Researcher

In a similar fashion to the Jaff ransomware, Forcepoint Security Labs have observed another piece of ransomware called “Scarab” being pushed by the infamous Necurs botnet. The massive email campaign started at approximately 07:30 UTC and is active as of 13:30 today, totalling over 12.5 million emails captured so far.

The graph below shows the per-hour volume of Scarab/Necurs emails blocked by Forcepoint between 07:00 and 12:00 UTC:

Figure 1: Scarab/Necurs emails intercepted per hour

Based on our telemetry, the majority of the traffic is being sent to the .com top level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France, and Germany:

Figure 2: Target TLD distribution for Scarab malicious email

The email uses the subject “Scanned from {printer company name}” – a theme that is known to have been utilised for previous Locky ransomware campaigns distributed via Necurs. The email contains a 7zip attachment containing a VBScript downloader.

Figure 3: Sample malicious email

As has been previously observed in Necurs campaigns, the VBScript contained a number of Game of Thrones references, in particular the strings “Samwell” and “JohnSnow”:

Figure 4: 'Game of Thrones' references within malicious VBScript

The download domains used as part of this campaign were compromised sites which have previously been used by Necurs-based campaigns.

Scarab Ransomware

The payload itself - Scarab - is a relatively new ransomware family that was discovered in June by Michael Gillespie. In the particular variant observed being distributed today, the ransomware drops the following copy of itself upon execution:

%Application Data%\sevnz.exe

It then creates a registry entry as an autostart mechanism:

uSjBVNE = "%Application Data%\sevnz.exe

Once installed it proceeds to encrypt files, adding the extension “.[suupport@protonmail.com].scarab” to affected files. A ransom note with the filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” (Figure 5, below) is dropped within each affected directory. The misspelling of "support" is present in both the modified filenames and the ransom note, and is presumably a result of the availability of email addresses on the Protonmail service.

Unusually, the note does not specify the amount being demanded, instead simply stating that "the price depends on how fast you write to us". This note is also automatically opened by the malware after execution.


Figure 5: Ransom message displayed by Scarab malware

The use of an email-based payment system has been observed in a number of campaigns already this year (most notably the NotPetya attack in June) and proven – for both the malware authors and victims – to be a potential single point of failure in the payment system, with providers often moving quickly to shut down the addresses associated with ransomware campaigns. In the case of Scarab, it appears that this possibility has been considered already, with the ransom note providing a secondary contact mechanism via BitMessage should the email address become unavailable.

When running, Scarab executes the following commands to disable default Windows recovery features:

cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
cmd.exe /c wmic SHADOWCOPY DELETE
cmd.exe /c vssadmin Delete Shadows /All /Quiet
cmd.exe /c bcdedit /set {default} recoveryenabled No
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

Finally, once the encryption process is complete, it deletes the original copy of itself. 

Protection Statement

Forcepoint customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
Stage 5 (Dropper File) - Scarab variants are prevented from being downloaded. 


By employing the services of larger botnets such as Necurs, smaller ransomware players such as the actors behind Scarab are able to run a massive campaign with a global reach. It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns.

Either way, as we noted in our recent 2018 Security Predictions, we can expect ransomware to continue to make up a significant portion of the threat landscape for some time to come.

As always, Forcepoint Security Labs will continue to monitor developments to this threat and provide updates as necessary.

Indicators of Compromise

VBScript SHA-256


Scarab SHA-256


Download locations


About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.