A new variant of the malicious Scarab ransomware has been uncovered in the wild that uses a different distribution method and threat to scare victims into paying up. While the original Scarab ransomware was distributed by a massive spam campaign hosted by the Necurs botnet, the new variant dubbed "Scarabey" targets Remote Desktop Protocol connections and is manually dropped on servers and systems.
Discovered in December 2017, researchers at Malwarebytes say the new threat seems to be targeting Russian users. Similar to other ransomware, Scarabey demands a Bitcoin payment from victims after infecting their system and encrypting all files.
According to the researchers, the code between both Scarab and Scarabey are almost "byte-for-byte identical" but do include some notable differences.
"The malicious code is written in Delphi without the C++ packaging that Scarab has and the content and language of the ransom notes are different for each," researchers said in a blog post. "As far as the victim is concerned, the main difference between Scarabey and other Scarab ransomware is the language of the ransom note and the scare tactic used in encryption message."
The ransom note for the original Scarab was written in English, contained several errors and appeared to have been translated word-for-word from Russian text without proper English grammar or syntax.
Meanwhile, the ransom note for the new Scarabey variant is written in English.
"What's interesting is that when you throw the Scarabey note into Google translate, as I have done below, it contains the same grammatical errors as the Scarab note," the researchers noted. "This is more proof that that the authors of Scarab are likely Russian speakers who had written the note in their native language and run it through a translator to be added into the Scarab code.
"It would then seem quite likely that, since they decided to target Russians. they released the Scarabey note in their native language to cover more victims."
The threat used in the ransom note to scare victims into paying also differs from the original Scarab. While the Scarab ransom note warns victims that the price will rise the longer they wait to pay, Scarabey threatens to permanently delete 24 files every 24 hours until they pay the ransom and there are no more files left to recover.
"24 files are deleted every 24 hours. (we have copies of them)," the ransom note reads. "If you do not run the decryption program within 72 hours, all the files on the computer are completely deleted, without the possibility of recovery."
However, the Malwarebytes researchers say this is just a scare tactic leveraged by the threat actors.
"Essentially, the criminals are implying that they have copies of the unencrypted files to give back to the user, or that they have control of the victim computer to delete files," they said. However, the malware code does not include any indication that the hackers have copied files to a different location or that they have the ability to remotely delete files from the victim's computer.
"The conclusion here is that the deletion of files or the idea that the malware authors have access to delete files is purely a scare tactic used to urge users into sending money quickly," the researchers said.
Victims' files are encrypted using AES256 while the key used to encrypt them changes from file to file.
"If just a single encryption key was used for all of the files (which has been seen with other ransomware), you would be able to capture memory at any point in the encryption process, save the key, and use it to decrypt all of the files on your hard drive," Malwarebytes said. "Unfortunately, because of this key cycling that Scarab performs, it makes decryption of the files likely impossible."