Necurs Returns With New Scarab Ransomware Campaign

The world’s largest spam botnet, Necurs, is delivering a new version of the Scarab ransomware. The campaign started at 07:30 UTC on Thanksgiving Day. By 13:30 UTC, security firm Forcepoint had already blocked more than 12.5 million Necurs emails.

The new campaign was also noted by F-Secure. “This morning at 9AM (Helsinki time, UTC +2) we observed the start of a campaign with malicious .vbs script downloaders compressed with 7zip,” blogged researcher Paivi Tynninen on Thursday.

“Based on our telemetry,” noted Forcepoint researchers, “the majority of the traffic is being sent to the .com top level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France and Germany.”

Necurs, weaponizing between 5 and 6 million hosts per month, was originally best known for distributing the Dridex banking trojan, the Locky ransomware, and ‘pump-and-dump’ schemes. This year it has also spammed out Jaff and GlobeImposter ransomware. Scarab is new.

Scarab was first spotted in June 2017 by Michael Gillespie, creator of ID Ransomware (a service that allows users to submit a ransom note to discover which ransomware has infected them). According to F-Secure, Scarab’s code “is based on the open source ìransomware proof-of-concept called HiddenTear.”

Necurs is delivering a malicious VBS script downloader compressed with 7zip. As in previous campaigns, the script contains a number of Games of Thrones references, such as the strings ‘Samwell’ and ‘JohnSnow’. The final payload is Scarab. 

The email itself is typical Necurs: minimal text body with business-related subjects; in this case suggesting the attachment contains images of scanned documents. Popular subjects are ‘Scanned from…’ with either Lexmark, HP, Cannon or Epson added.  

“The download domains used as part of this campaign were compromised sites which have previously been used by Necurs-based campaigns,” notes Forcepoint. It is probable that many organizations will have these domains blacklisted, but the sheer size of the campaign will likely lead to many new Scarab infections. 

If the downloader runs and Scarab is installed, it encrypts files and appends a new extension ending in ‘[[email protected]].scarab’. The email address part of the extension is the same contact email provided in the ransom note.

The ransom note, with the filename ìIF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXTî, is dropped into each affected folder. This note does not specify the amount of ransom required, saying instead that the amount will depend upon the speed of response from the victim. It does, however, offer to decrypt three files free of charge to prove the decryption will work: “Before paying you can send us up to 3 files for free decryption.”

Related: Ransomware: Where It’s Been and Where It’s Going