Necurs botnet pushes Scarab ransomware

Forcepoint security researchers have spotted a massive email cyber campaign that uses the infamous Necurs botnet to push new ransomware dubbed “Scarab“.

The campaign kicked off on Thursday and totaled 12.5 million emails that were captured as of the writing of the Forcepoint report

The email uses a similar theme used in Locky ransomware campaign distributed by Necurs – to include the subject line “Scanned from {printer company name}” and a 7Zip attachment that contains a VBScript downloader.

Once a user clicks on the attachment, the ransomware payload Scarab is installed and proceeds to encrypt the victim’s files and adds the extension “.[suupport@protonmail.com].scarab” along with a ransom note on how victims can get their files back.

Note the word support was also misspelled due to possible availability of email addresses. 

Leave a Reply

Close Menu