A different kind of the malicious Scarab ransomware has been spotted by the security researchers. The new version of the ransomware is being spread by a weak secured Remote Desktop Protocol (RDP) connections, while the previous one was distributed by a massive spam campaign hosted by the Necurs botnet.
Researchers at Malwarebytes discovered the new version in December 2017. According to the researchers, the new incarnation is being called as Scarabey, and it seems that they are targeting Russian users. The malware demands a Bitcoin payment from victims after infecting their system and encrypting all files.
There is no major code difference between both Scarab and Scarabey, they are almost "byte-for-byte identical" but they do have some notable differences.
"The malicious code is written in Delphi without the C++ packaging that Scarab has and the content and language of the ransom notes are different for each," researchers said in a blog post. "As far as the victim is concerned, the main difference between Scarabey and other Scarab ransomware is the language of the ransom note and the scare tactic used in encryption message."
With Scarab the ransom note is written in English with several grammatical and syntax errors, it appears that it was translated word to word from Russian to English using Google translate.
Meanwhile, the ransom note for the new Scarabey is written in Russian to cover more victims.
"What's interesting is that when you throw the Scarabey note into Google translate, as I have done below, it contains the same grammatical errors as the Scarab note," the researchers noted. "This is more proof that the authors of Scarab are likely Russian speakers who had written the note in their native language and run it through a translator to be added into the Scarab code.
"It would then seem quite likely that, since they decided to target Russians. they released the Scarabey note in their native language to cover more victims."
The Scarab's ransom note notified victims that the price of the ransom will directly increase with the time, however, in case of Scarabey, they threaten victims to permanently delete 24 files every 24 hours until they pay the ransom.
"24 files are deleted every 24 hours. (we have copies of them)," the ransom note reads. "If you do not run the decryption program within 72 hours, all the files on the computer are completely deleted, without the possibility of recovery."
However, the Malwarebytes researchers say this is just a tactic of the spammers.
"The conclusion here is that the deletion of files or the idea that the malware authors have access to delete files is purely a scare tactic used to urge users into sending money quickly," the researchers said.
Researchers at Malwarebytes discovered the new version in December 2017. According to the researchers, the new incarnation is being called as Scarabey, and it seems that they are targeting Russian users. The malware demands a Bitcoin payment from victims after infecting their system and encrypting all files.
There is no major code difference between both Scarab and Scarabey, they are almost "byte-for-byte identical" but they do have some notable differences.
"The malicious code is written in Delphi without the C++ packaging that Scarab has and the content and language of the ransom notes are different for each," researchers said in a blog post. "As far as the victim is concerned, the main difference between Scarabey and other Scarab ransomware is the language of the ransom note and the scare tactic used in encryption message."
With Scarab the ransom note is written in English with several grammatical and syntax errors, it appears that it was translated word to word from Russian to English using Google translate.
Meanwhile, the ransom note for the new Scarabey is written in Russian to cover more victims.
"What's interesting is that when you throw the Scarabey note into Google translate, as I have done below, it contains the same grammatical errors as the Scarab note," the researchers noted. "This is more proof that the authors of Scarab are likely Russian speakers who had written the note in their native language and run it through a translator to be added into the Scarab code.
"It would then seem quite likely that, since they decided to target Russians. they released the Scarabey note in their native language to cover more victims."
The Scarab's ransom note notified victims that the price of the ransom will directly increase with the time, however, in case of Scarabey, they threaten victims to permanently delete 24 files every 24 hours until they pay the ransom.
"24 files are deleted every 24 hours. (we have copies of them)," the ransom note reads. "If you do not run the decryption program within 72 hours, all the files on the computer are completely deleted, without the possibility of recovery."
However, the Malwarebytes researchers say this is just a tactic of the spammers.
"The conclusion here is that the deletion of files or the idea that the malware authors have access to delete files is purely a scare tactic used to urge users into sending money quickly," the researchers said.