CyberWarfare / ExoWarfare

This ransomware asks victims to name their own price to get their files back

Attackers behind this form of file-encrypting malware – which has similarities with Locky – think that if the victim can set their own price, they’re more likely to pay.

A form of ransomware which shares similarities with Locky and also comes with the option for infected victims to negotiate a price for retrieving their encrypted files.

Scarab ransomware was first uncovered in June, but during November, it was suddenly distributed in millions of spam emails, as noted by researchers at Fortinet. These emails were distributed by Necurs, the botnet infamous for spreading the highly-successful Locky ransomware.

The file-encrypting malware is deployed when the victim runs a VBScript application [i.e. this is a Windows-only problem — TJACK] contained within a malicious email, which retrieves Scarab from payload websites. Researchers at PhishMe note that this script contains similarities to the delivery mechanism used to deliver Locky.

Those behind Scarab have also chosen to fill the source code of the ransomware with what appear to be references to Game of Thrones character, Jon Snow.


The Scarab source code references Game of Thrones


Once installed and executed on the victim’s computer, the malware will connect to a website which provides the attacker with the IP address and other machine information – likely to aid the attacker in keeping track of victims.

Even if the machine is taken offline during the process, the ransomware still encrypts the files with the .scarab file extension and presents the victim with a ransom note.


The Scarab ransom note – with email address for negotiating payment.


But rather than demanding a set payment fee, the attackers behind Scarab ask the victims to email them in order to negotiate a payment in Bitcointhe cryptocurrency often used by attackers to collect ransom payments.

The use of an email address suggests the attackers aren’t as sophisticated as those behind other forms of ransomware. However, they do seem to working to the theory that if they allow the victim to set a price, they’re more likely to receive a payment.

“The negotiation process encouraged by the Scarab ransomware is particularly interesting. While entering into negotiations definitely makes it more likely that a ransom of some kind will be paid, it also allows them to fluctuate demands depending on the value of Bitcoin at that time,” said Aaron Higbee, co-founder and CTO of PhishMe.

Researchers suggest the rise in the value of Bitcoin has played a part in the shift to this tactic. A charge of around one Bitcoin was often set a ransom demand during 2016, when the value of Bitcoin was under $1000. At the time of writing, one Bitcoin has shot up to a value of over $16,000.

Attackers are likely to understand the average victim isn’t going to have the funds to pay this fee, so by allowing the victim to suggest a price, those behind Scarab are more likely to guarantee a pay-day for their criminal work.

Those behind Scarab also attempt to establish that they can be trusted to hold up their end of the malicious deal with the use of a common tactic by ransomware distributors: offering to decrypt some files for free. They also provide instructions on how to obtain Bitcoin in order so that they can receive payment from victims.

However, these aren’t acts of community spirit, the attackers are criminals who are looking for profit by extorting a payment out of the unfortunate victim – a reality hammered home by how the ransom note says “Decryption of your files with the help of third parties may cause an increased price”.

The attackers also add that by trying to use decryption tools, the victim “can become a victim of a scam”.

Researchers are currently unsure if Scarab will be a temporary ransomware campaign – such as Jaffor if it will become a long-standing threat like Locky.