The malicious actors behind Scarab ransomware have rolled out a new variant, one that uses a different distribution method and ransom threat in order to infect computers and ensure payment.
On the surface the first difference between the two is distribution, Scarabey favours using Remote Desktop Protocol and being manually dropped on servers.
The most obvious differentiator is the ransom note. With Scarab the note is written in English, but contains many errors that are synonymous with having been run through an online translator. For the Scarabey note the authors simply used the original source for the Scarab text.
“What's interesting is that when you throw the Scarabey note into Google translate…it contains the same grammatical errors as the Scarab note,” vhioureas said, adding, “It would then seem quite likely that, since they decided to target Russians. They released the Scarabey note in their native language to cover more victims.”
The threat being used to induce payment was also altered. With Scarab the victim is told that the ransom price will rise the longer it takes to pay up, with Scarabey the attacker says they will begin permanently deleting files, 24 files per 24 hours, if payment is not made.
However, vhioureas noted this is a lie as there is nothing in the code to indicate the attacker has in fact copied any files to another location nor does the code contain the ability to delete files remotely.
“The conclusion here is that the deletion of files or the idea that the malware authors have access to delete files is purely a scare tactic used to urge users into sending money quickly,” he said.
On the code level one major shift is that while each is written in Delphi Scarabey has not C++ packaging like its predecessor.
The files are encrypted using AES256 and because the key used to encrypt each file changes from file to file it makes decryption likely impossible, vhioureas said.
Malwarebytes' research was also able to disprove several rumors surrounding Scarabey. The ransomware does not have the ability to act as a back door nor is it being built off of the open source ransomware project on GitHub called HiddenTear.