Scarab Ransomware: Complete Guide 

Scarab ransomware is a type of malware that encrypts files on a victim’s computer and demands payment in exchange for the decryption key. It was first discovered by malware security researcher Michael Gillespie in 2017. It uses the Advanced Encryption Standard (AES) cipher to encrypt files.

Scarab ransomware group did not reveal where it originates from or whether it is politically motivated. However, it is known to have been deployed worldwide via the Spacecolon Toolset. Scarab ransomware can infect systems and machines through various means, including phishing emails, malicious attachments, and software vulnerabilities.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.

What kind of malware is Scarab?

Scarab is a type of ransomware that stealthily infiltrates systems and encrypts various data. It appends filenames with the “.[resque@plague.desi].scarab” extension. Updated variants of this ransomware append: .inchin, .gold, .crabs.

Other variants of this ransomware will add “.[unlocking.guarantee@aol.com]” as an extension to encrypted files.

Following successful encryption, the virus creates and automatically opens a text file (“IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT”), and then places it on the desktop. Scarab ransomware has very similar characteristics to ElmersGlue, EncrypTile, GlobeImposter, TheDarkEncryptor, and dozens of other ransomware-type viruses.

Everything we know about Scarab Ransomware

Confirmed Name

• Scarab virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker
• Double extortion

Encrypted Files Extension

• There are many file extensions, depending on the ransomware variant.

Ransom Demanding Message

• IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT, HOW TO RECOVER ENCRYPTED FILES – decrypts@airmail.cc.TXT

Is There a Free Decryptor Available?

No, there’s no public decryptor for Scarab ransomware.

Distribution methods

• Infected email attachments (macros)
• Drive-by downloads
• Spam mail
• Dubious download channels (e.g., freeware and third-party websites, P2P sharing networks, etc.)
• Online scams
• Malvertising
• Illegal software activation tools (“cracks”)
• Fake updates

Consequences

• Files are encrypted and locked until the ransom payment
• Data leak
• The network is left open for new simultaneous attacks
• Double extortion

What is in the Scarab ransom note

The content of the Scarab ransom note varies depending on the variant of the ransomware. However, the ransom note typically informs victims of the encryption and makes ransom demands.

The ransom note is a text file named “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” and placed on the desktop of the infected computer.

The following are examples of the content of the Scarab ransom note:

If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.

How does Scarab ransomware infect a machine or network?

Infected email attachments (macros)

Scarab ransomware is often distributed through infected email attachments that contain malicious macros. When the victim opens the attachment and enables macros, the ransomware is downloaded and executed on the victim’s machine;

Drive-by downloads

Scarab ransomware can also be distributed through drive-by downloads, where the victim unknowingly downloads the ransomware by visiting a compromised website.

Spam mail

Scarab ransomware can be distributed through spam mail campaigns that contain malicious attachments or links to infected websites.

Dubious download channels

Scarab ransomware can be distributed through dubious download channels such as freeware and third-party websites, P2P sharing networks, and other unofficial software download sources.

Online scams

Online scams include fake software updates or fake antivirus software.

The Scarab ransomware gang creates fake antivirus software that claims to detect and remove malware from the victim’s machine. However, the software itself is malware, and it installs the ransomware on the victim’s machine. The gang also creates fake software updates that contain the ransomware.

Malvertising

Scarab ransomware can be distributed through malvertising, where the victim unknowingly downloads the ransomware by clicking on a malicious advertisement that appears to be legit.

Illegal software activation tools

Scarab ransomware can be distributed through illegal software activation tools, such as “cracks,” which are used to bypass software licensing restrictions.

Fake updates

Scarab ransomware can be distributed through fake software updates, where the victim is prompted to download and install a fake update that contains the ransomware

How does Scarab ransomware work

Scarab ransomware uses the Spacecolon toolset to compromise vulnerable web servers or via brute-forcing RDP credentials.

The primary component of Spacecolon is ScHackTool, a Delphi-based orchestrator that’s used to deploy an installer, which installs ScService, a backdoor with features to execute custom commands, download and execute payloads, and retrieve system information from compromised machines. ScHackTool also functions as a conduit to set up a wide array of third-party tools fetched from a remote server. The ultimate goal of the attacks is to leverage the access afforded by ScService to deliver a variant of the Scarab ransomware.

Scarab ransomware uses the Advanced Encryption Standard (AES) cipher to encrypt files.

What is the Spacecolon toolset? 

Spacecolon toolset is a malicious toolset that is used to deploy variants of the Scarab ransomware to victims all over the world. The toolset is used to compromise vulnerable web servers or via brute-forcing RDP credentials.

Do not pay the ransom! Contacting a ransomware removal service can not only restore your files but also remove any potential threat.

How to handle a Scarab ransomware attack

The first step to recovering from a Scarab attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).

To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with threat actors (if you have them)
• A sample of an encrypted file

However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it is and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the ransomware yourself and recover the files with your IT team, then you can follow the next steps.

2. Identify the ransomware infection

You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key.

You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent Scarab ransomware from attacking your network again. Contact our experts 24/7 for ransomware recovery services.

Prevent the Scarab ransomware attack

Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. Scarab ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid ransomware attacks:

• Keep software up to date to prevent vulnerabilities that can be exploited by the ransomware.
• Use strong passwords and two-factor authentication to prevent unauthorized access to systems.
• Regularly back up important files and store them in a secure location.
• Be cautious when opening email attachments or clicking on links from unknown sources.
• Use reputable antivirus software and keep it up to date.