The authors of well-known Scarab ransomware have developed a new version of their virus called Scarabey, which uses a different distribution method and ransom threat in order to ensure ransom payments.
Scarabey ransomware now targeted at Russian-speaking users and uses Remote Desktop Protocol to manually infect servers and personal computers. The older version of this ransomware was spreaded via Necurs botnet and ransom note was written in English, while it contained many grammatical errors.
“What’s interesting is that when you throw the Scarabey note into Google translate, it contains the same grammatical errors as the Scarab note. It would then seem quite likely that, since they decided to target Russians. They released the Scarabey note in their native language to cover more victims”, reported Malwarebytes cyber security company.
The ransomware threat which is used to demand a payment was also changed. With Scarab ransomware the victim was told that the ransom price will rise the longer it takes to pay up, with Scarabey the cyber criminals say they will begin permanently eliminating personal files – 24 files per 24 hours if payment is not made.
However, there is nothing in the source code to indicate the hackers are really able to delete files remotely from victim’s machine.
The files are encrypted using AES256 and while the decryption key changes from file to file it makes the decryption process likely impossible.
Malwarebytes experts also disproved some rumours surrounding Scarabey ransomware. This malware doesn’t have the capacity to act as a backdoor and it wasn’t built on the base of open source ransomware project named HiddenTear which is presented on GitHub.