A new version of the Scarab ransomware has been spotted in the wild, but instead of being distributed via email spam campaigns, crooks are brute-forcing computers with weakly-secured RDP connections and are installing the ransomware manually on each system.
Codenamed Scarabey, this new threat is "byte-for-byte identical" with the old Scarab ransomware, according to a Malwarebytes report published earlier this week.
There are two main differences between the two versions. First, Scarab is written in Visual C compiled, while Scarabey is written in Delphi, but without the C++ packaging.
Second, Scarab's ransom note is written in English, while Scarabey ransom note is in Russian. The presence of only a Russian ransom note in Scarabey suggests the Scarab group intends to go after Russian-speaking targets only, at least for the time being.
Despite being written in different languages, the two ransom notes are an important clue that links the two ransomware strains together:
In the Scarab sample, the ransom note is written in English, however, it reads as if you translated word-for-word a Russian text into English, without knowing proper English grammar or syntax. Scarabey, on the other hand, is written in Russian. What’s interesting is that when you throw the Scarabey note into Google Translate, [...], it contains the same grammatical errors as the Scarab note.
The third major difference between the two is that unlike Scarab, which tells victims the ransom fee will increase after a certain period of time, Scarabey tells victims it will delete 24 files after every 24 hours until there are no more files left.
The file deletion does not take place, which is a detail that victims should take into consideration when dealing with such an infection. But victims should also know that despite claiming "we have copies of them," the Scarabey ransomware does not actually create backups of any files. It just encrypts them.
Like Scarab, Scarabey continues to use the .scarab extension for encrypted files.
Most evidence suggests the Scarab crew created Scarabey as a tool to target Russian businesses. RDP-manually installed ransomware is nothing new, and most such threats are never used on a large scale, but only against carefully selected targets that can pay higher ransom demands.
Since computers with open RDP ports are mainly encountered in corporate environments and used for remote systems administrations, it is safe to say Scarabey has been created to go after businesses primarily.
The Scarab ransomware was first discovered last June and entered mass-distribution in November when it was seen as part of a massive email spam campaign sent by the Necurs botnet. It's safe to assume that at one point or another, we'll see Scarabey deployed against a global target base. Companies silll have time to review their RDP policies.
Scarabey joins a long list of ransomware strains that have been purposely created to be spread via RDP manual installs. Previous RDP-distributed strains include the likes of LockCrypt, SynAck, Bit Paymer, RSAUtil, Xpan, Crysis, Samas (SamSam), LowLevel, DMA Locker, Apocalypse, Smrss32, Bucbi, Aura/BandarChor, ACCDFISA, and Globe.
A technical write-up detailing Scarabey's encryption process is included in Malwarebytes' report here.