Delaware, USA – November 28, 2017 – The infamous botnet Necurs has recently begun to distribute new Scarab Ransomware. In the first wave of a spam campaign, the botnet sent over 12 million malicious emails. Attackers used the tactic that was tested in Locky campaigns: the subject of phishing emails was “Scanned from [Lexmark, Canon, Epson or HP]”, and they contained 7-zip archive with VBS macro. The macro downloads Necurs malware, which installs on the infected system Scarab Ransomware. This Ransomware strain appeared several months ago and before this campaign was not particularly noteworthy. One of the distinguishing characteristics of Scarab is the absence of a fixed amount of ransom sum: attackers offer to contact them via email or Bitmessage, promising that the faster the victim comes into contact, the smaller ransom sum she will have to pay.
Probably, Ransomware authors just rented a botnet for this campaign, and the possibility of further distribution of Scarab in this way depends on the success of the current campaign. In mid-October Necurs loader acquired several new features, such as taking a screenshot and sending it to a remote server or sending error reports. It is also worth noting that Necurs is used not only for Ransomware distribution, it also spreads various banking trojans. You can detect the beginning of Ransomware attack and the suspicious activity of malware downloader before encrypting your files using Ransomware Hunter Advanced SIEM use case for ArcSight and QRadar.