What Is It?
In the days leading up to the U.S. Thanksgiving break, a significant malicious spam campaign was launched to spread a new piece of ransomware known as Scarab. The timing was clearly deliberate in its approach with social engineering as many people had already started their Thanksgiving break on the 23rd. It was designed to hit the inboxes of people in a rush to finish their work and start their holiday break, thus exercising less care and attention on what they were clicking on.
It is reported that in the first four hours of this campaign, over 12.5 million spam e-mails were sent. The subject of the e-mails used a common lure of “Scanned from [printer name],” where “printer name” was Epson, HP, Lexmark or Canon. The large Necurs botnet was utilized to send the spam e-mails from infected hosts.
Attached to the e-mail was a Visual Basic script compressed inside a 7-Zip file. Executing the Visual Basic script resulted in downloading and executing the Scarab ransomware.
Scarab adds the extension “[firstname.lastname@example.org].scarab” to all files it encrypts — those include data files as well as document and image file types.
How Does It Propagate?
The Scarab ransomware does not self-propagate, nor does it spread via an internal network.
It spreads via malicious spam, requiring users to be socially engineered to open the attached 7-Zip file and execute the Visual Basic script in order to be infected. Once again highlighting the importance of user education in securing the corporate IT environment.
When/How Did BluVector Detect It?
BluVector’s patented machine learning malware detection engine detects the Scarab malware as malicious. Regression testing on the sample has shown the ransomware would have been detected by BluVector 11 months prior to its release.
About Threat Report
BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solution would protect customers from those threats. Read more Threat Reports here.