Security Researchers from Forcepoint have discovered that cyber crooks are now spreading Scarab ransomware through Necurs Botnet. The researchers added in their statement that more than 12.5 million emails were circulated in this email phishing campaign to inboxes holding .com and co.uk domain addresses.
NOTE 1- Necurs is a malware distributing botnet nexus which has command and control servers located in Asia-Pacific. In June 2016, the botnet went offline due to a technical glitch or due to a digital lockdown from Interpol. But in March 2017, the botnet again resumed its email sending as a part of ‘pump and dump’ campaign.
NOTE 2- Botnet is a collection of web-connected devices which includes PCs, servers, mobile devices and Internet of Things (IoT).
Here Bot means robot and net means to network. A bot in this context means a device infected with malware, which is a part of the malware-infected network and where the device users are unaware of a botnet infecting their system.
It is said that the researchers first spotted the Scarab Ransomware filled emails on November 23 of this year. The unsolicited emails contained subject-line as “ Scanned from {printer Company name}. And the mail contained a zip attachment with a VBScript downloader.
Once installed, the ransomware proceeds to encrypt files, adding the extension ‘[suupport@protonmail dot com].scarab to affected files. A ransom note with a message saying the files are encrypted is available in the .txt format in each affected directory.
Currently, the note doesn’t specify any demand for ransom in its note. Instead, it is stating that the price depends on how fast you write to us. Means the cyber crooks want the victim to contact them as early as possible. The note also opens automatically as soon as the malware gets executed.
The email id is being sent for primary communication- a procedure seen in NotPetya ransomware infection early in the year.
Researchers from Forcepoint say that the infection spread can be contained in the domain service providers choose to shut the services. But some computers were seen infected with scarab ransomware having a bit message contact for communication.
“Using large botnets such as Necurs is giving small ransomware actors a global reach and a way to earn big”, said Chris Doman, a researcher from the Alienvault.
And Doman suggests that the said ransomware variant is fortunately detectable by most anti-malware vendors.
