In the latest development, Necurs botnet is being used to spread a spam campaign with Scarab ransomware. F-Secure security firm spotted the attack campaign which had malicious VBScript downloaders compressed with 7zip. The script also contains several ‘Game of Thrones’ references, including JohnSnow and Samwell.
Within six hours of the first attack, 12.5 million emails were distributed, which is about two million messages per hour.
It’s worth noting that email subject lines are “Scanned from (printer company name).” This theme is widely known to have been utilized for Locky ransomware. Here’s how to spot one:
Coming back to Scarab, it’s a relatively new ransomware, based on open source ransomware proof-of-concept named HiddenTear. It was discovered in June by Michael Gillespie, according to Forcepoint.
Once the ransomware infects a machine, it encrypts files and adds “[[email protected]].scarab” extension to affected files. A ransom note with filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” is also dropped in the affected directory.
While the note doesn’t specify how much is the ransom, it states “the price depends on how fast you write to us”. The use of an email-based payment system has been seen this year often, including the NotPetya attack.
Various studies and surveys have shown that ransomware attacks are the fastest growing malware type. So, you must follow the best internet practices and avoid clicking on suspicious links in email or social networking websites.