A brand new Necurs botnet campaign is delivering a new variant of the Scarab ransomware. The campaign started at 07:30 UTC on Thanksgiving Day, and by 13:30 UTC on the same day, the Forcepoint experts had already managed to block over 12.5 million Necurs emails.
The security company F-Secure also noticed the new ransomware campaign.
“This morning at 9AM (Helsinki time, UTC +2) we observed the start of a campaign with malicious .vbs script downloaders compressed with 7zip,” the researcher Paivi Tynninen commented.
“Based on our telemetry,” the Forcepoint experts said, “the majority of the traffic is being sent to the .com top level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France and Germany.”
The Necurs botnet which hits between 5 and 6 million hosts monthly, was initially popular for spreading the Dridex banking trojan, the Locky ransomware, and ‘pump-and-dump’ schemes. This year, the botnet has also delivered Jaff and GlobeImposter ransomware, and Scarab is the most recent one.
The Scarab ransomware was noticed in June, this year. The F-Secure researchers claim that the code of Scarab “is based on the open source ìransomware proof-of-concept called HiddenTear.”
The Necurs botnet is delivering a malicious VBS script downloader which is compressed with 7zip. Identically to previous campaigns, the script contains a number of Games of Thrones references, such as the strings ‘Samwell’ and ‘JohnSnow’, and the final payload is the Scarab threat.
The email is typical Necurs – minimal text body with business-related subjects; in this case suggesting the attachment contains images of scanned documents. Popular subjects are ‘Scanned from…’ with either Lexmark, HP, Cannon or Epson added.
“The download domains used as part of this campaign were compromised sites which have previously been used by Necurs-based campaigns,” the Forcepoint team states.
Most probably, many organizations will have such domains blacklisted, however, the sheer size of the campaign will likely lead to many new Scarab infections.
In case the downloader runs and the Scarab ransomware is installed, it encrypts files and appends a new extension ending in ‘[firstname.lastname@example.org].scarab’. The email address which is part of the extension, is the same contact email icludeded in the ransom note.
The ransom note itself alongside the filename ìIF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXTî, is dropped into each infected folder. This note doesn’t specify the amount of ransom required, stating instead that the amount will depend upon the speed of the victim’s response.
Nevertheless, the ransom note offers decrypting three files for free to prove the decryption is active: “Before paying you can send us up to 3 files for free decryption.”