Connect with us

Hi, what are you looking for?



Necurs Returns With New Scarab Ransomware Campaign

The world’s largest spam botnet, Necurs, is delivering a new version of the Scarab ransomware. The campaign started at 07:30 UTC on Thanksgiving Day. By 13:30 UTC, security firm Forcepoint had already blocked more than 12.5 million Necurs emails.

The world’s largest spam botnet, Necurs, is delivering a new version of the Scarab ransomware. The campaign started at 07:30 UTC on Thanksgiving Day. By 13:30 UTC, security firm Forcepoint had already blocked more than 12.5 million Necurs emails.

The new campaign was also noted by F-Secure. “This morning at 9AM (Helsinki time, UTC +2) we observed the start of a campaign with malicious .vbs script downloaders compressed with 7zip,” blogged researcher Paivi Tynninen on Thursday.

“Based on our telemetry,” noted Forcepoint researchers, “the majority of the traffic is being sent to the .com top level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France and Germany.”

Necurs, weaponizing between 5 and 6 million hosts per month, was originally best known for distributing the Dridex banking trojan, the Locky ransomware, and ‘pump-and-dump’ schemes. This year it has also spammed out Jaff and GlobeImposter ransomware. Scarab is new.

Scarab was first spotted in June 2017 by Michael Gillespie, creator of ID Ransomware (a service that allows users to submit a ransom note to discover which ransomware has infected them). According to F-Secure, Scarab’s code “is based on the open source ìransomware proof-of-concept called HiddenTear.”

Necurs is delivering a malicious VBS script downloader compressed with 7zip. As in previous campaigns, the script contains a number of Games of Thrones references, such as the strings ‘Samwell’ and ‘JohnSnow’. The final payload is Scarab. 

The email itself is typical Necurs: minimal text body with business-related subjects; in this case suggesting the attachment contains images of scanned documents. Popular subjects are ‘Scanned from…’ with either Lexmark, HP, Cannon or Epson added.  

Advertisement. Scroll to continue reading.

“The download domains used as part of this campaign were compromised sites which have previously been used by Necurs-based campaigns,” notes Forcepoint. It is probable that many organizations will have these domains blacklisted, but the sheer size of the campaign will likely lead to many new Scarab infections. 

If the downloader runs and Scarab is installed, it encrypts files and appends a new extension ending in ‘[[email protected]].scarab’. The email address part of the extension is the same contact email provided in the ransom note.

The ransom note, with the filename ìIF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXTî, is dropped into each affected folder. This note does not specify the amount of ransom required, saying instead that the amount will depend upon the speed of response from the victim. It does, however, offer to decrypt three files free of charge to prove the decryption will work: “Before paying you can send us up to 3 files for free decryption.”

Related: Ransomware: Where It’s Been and Where It’s Going 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...