Scarab ransomware was spotted for the first time in June 2017 and had been reappearing with new versions since then. This ransomware is one of the many HiddenTear variants, an open source ransomware Trojan released in 2015. 

The recently discovered versions of ransomware use an improved RSA encryption method and add various extensions to infected files. Scarab ransomware interferes with alternate recovery methods, deleting the Windows Restore points and the Shadow Volume Copies that could be used to restore the affected files to their former states. Decryption without a unique key is impossible. Researchers observed it in multiple campaigns: adversaries send phishing emails to spread the malicious software, in several cases, they rented Necurs botnet for this purpose. 

Multiple variants of the ransomware continue to appear on the threat landscape. The last one has been spotted two weeks ago adding the .cov19 extension for encrypted files. New community threat hunting Sigma rule by Ariel Millahuel helps to uncover fresh samples of Scarab ransomware at the beginning of the encryption process:

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Windows Defender ATP, Carbon Black, Elastic Endpoint


Tactics: Impact

Techniques: Data Encrypted for Impact (T1486)


This week Ariel has published another community rule for ransomware detection. It spots characteristics of AKO Ransomware that is the new ransomware-as-a-service offering under development:


Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko