Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New scarab variant?


  • This topic is locked This topic is locked
4 replies to this topic

#1 cybervictim

cybervictim

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 29 May 2018 - 09:15 AM

Hi,

 

my friend has been breached, all his files encrypted and all his backups encrypted. Luckily i found originals of many of his encrypted files, mainly hardware drivers that he'd downloaded.

 

I ran the check at https://id-ransomware.malwarehunterteam.com/ and it identified it as Amnesia due to the .amnesia file extension of the encrypted files.

 

I downloaded and used the Amnesia decrypter but it wouldn't work, so i removed the .amnesia file extension and ran the ID check again, this time it reported that it was the Scarab variant due to "custom_rule: Encrypted size marker [0x00 - 0x08] 0x0450000000000000".

 

The ID site also said that Scarab is decryptable under some circumstances, but i haven't been able to find more details about that.

 

I read that Dr Web may have a Scarab decrypter so i've sent them the ransom note and samples.

 

I thought it best to post here in case this is a new variant, but it may just be using a different ransom email address, below is the ransom note :

 

====================================================================================================
                          ______  ______  __  __  _____  _____  _____  ______
                         / _   / /     / /  \/ / /  __/ /  __/ /  __/ / _   /
                        /     / /     / /     / /  _/  /__  / _/ /_  /     /
                        \_/__/  \/_/_/  \/\__/  \___/  \___/  \___/  \_/__/

====================================================================================================

HOW TO DECRYPT YOUR FILES

Your personal ID

 

[deleted]

Your files, documents, photo, databases and all the rest aren't
are ciphered by the most reliable enciphering.
All information about clients and their personal data was uploaded.
You must have no illusion that you can get out of this situation without our help.
You have two choices:
1. Unsuccessful try to decrypt files and lose them along with the business.
2. Or write to us and pay for the decryption keys and back clients files and.
We are not going to destroy your business. We show the problem on real example.
ATTENTION! If you do not contact us within two days, the decryption keys will be destroyed and
we will send some of files to your clients with information about your disability. They will pay
instead of you or we will put all data on the network.
Don't waste time, the cost directly depends on the time of contact with us.
----------------------------------------------------------
You will be able to restore files so:
            
contact us by e-mail: donotwait@protonmail.com
* report your ID and we will switch off any removal of files
(if you don't report your ID identifier within 72 hours, decrypt key will be lost)  
* you send your ID identifier and 2 files, up to 1 MB in size everyone.
   We decipher them, as proof of a possibility of interpretation.
   also you receive the instruction where and how many it is necessary to pay.
             
you pay and confirm payment.
after payment you receive the DECODER program. which you restore ALL YOUR FILES.
            
 ----------------------------------------------------------
  You have 72 hours on payment.
If you don't manage to pay in 72 hours, then the price of interpretation increases twice.
The price increases twice each 72 hours.
To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours.
Address for detailed instructions e-mail: donotwait@protonmail.com
 * If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour.
 * If you try to decipher - you can FOREVER lose your files.
 * Decoders of other users are incompatible with your data as at each user unique key of enciphering

If it is impossible to communicate through mail
 * Be registered on the website http://bitmsg.me (service online of sending Bitmessage)
 * Write the letter to the address BM-2cSnk9AuBSSkTCBStvSZmRVKK6pRa5GoxL with the indication of your mail and
 the personal identifier and we will communicate.
        
 ----------------------------------------------------------
               

If you have no bitcoins
 * Create Bitcoin purse: https://blockchain.info
 * Buy Bitcoin in the convenient way
  https://localbitcoins.com/ (Visa/MasterCard)
  https://www.buybitcoinworldwide.com/ (Visa/MasterCard)
  https://en.wikipedia.org/wiki/Bitcoin (the instruction for beginners)

 - It doesn't make sense to complain of us and to arrange a hysterics.
 - Complaints having blocked e-mail, you deprive a possibility of the others, to decipher the computers.
   Other people at whom computers are also ciphered you deprive of the ONLY hope to decipher. FOREVER.
 - Just contact with us, we will stipulate conditions of interpretation of files and available payment,
   in a friendly situation

====================================================================================================

 

Please let me know if i can post anything else that may help.

 

 

Thanks, Gary.


Edited by cybervictim, 29 May 2018 - 09:32 AM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,589 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:36 PM

Posted 29 May 2018 - 09:37 AM

I've updated false-positive detections for the older Amnesia. The filemarker confirms it is Scarab for sure. That whole family has jumped around extensions and such, so it can be confusing.

 

Dr. Web would be your best bet.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 414 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:09:36 PM

Posted 29 May 2018 - 10:02 AM

Hello,

This is the .amnesia Scarab Ransomware.

You can have a look at the forum about the Scarab ransomware here. and the Amigo-A Digest about ransomware.

 

Regards,

Emmanuel emte@adc-soft.com

Dr.Web partner : https://partners.drweb.com/find_partner?mode=search&country=64&city=1161&searchByName=&lng=en



#4 cybervictim

cybervictim
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 29 May 2018 - 10:41 AM

Thanks very much for the info.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,067 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:36 PM

Posted 29 May 2018 - 06:07 PM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above Scarab Ransomware Support topic discussion link provided by Emmanuel_ADC-Soft.

To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users