Delaware, USA – November 28, 2018 — This month, researchers discovered attacks spreading a new ransomware family. Scroboscope ransomware was created using PHP Devel Studio 3.0 and is distributed as EXE files. It is assumed that the most likely distribution vector is malspam campaigns with malicious attachments, but it is also possible that attackers hack RDP connections and manually install the malware. After infection, Scroboscope Ransomware creates its copies in certain directories, starts several processes, scans the system and deletes shadow copies. After that, it modifies the Windows registry to run at startup and encrypts user data using RC2, adding .N0JJC extension to the encrypted files. Then malware drops ransom note as a text file; attackers suggest contacting them in order to receive instructions for paying ransom in bitcoins and getting a decryptor. For now, it is impossible to decrypt files for free.
Since Scroboscope Ransomware appeared less than a month ago, not all antiviruses are able to detect it on time. Removing shadow copies and the persisting mechanisms prevent files from being restored from backup. To detect such attacks, you can use the Ransomware Hunter rule pack, which leverages statistical profiling and behavioral analysis methods to spot signs of ransomware at every stage of Cyber Kill Chain. Also, you can use VPN Security Monitor to detect signs of abuse or unauthorized access to the RDP connections.