Security researchers are warning of a major new ransomware campaign using the infamous Necurs botnet to spread via millions of spam emails.
First spotted on November 23, the Scarab ransomware is being sent primarily to .com addresses, followed by co.uk inboxes. It was sent to 12.5 million email addresses in the first four hours alone, according to Forcepoint.
The unsolicited emails in question come with the well-worn “Scanned from {printer company name}” subject line and contain a 7zip attachment with a VBScript downloader.
The download domains used in the campaign are recognizable from their use in previous Necurs-based attacks, the vendor claimed.
“Once installed [the ransomware] proceeds to encrypt files, adding the extension ‘.[suupport@protonmail.com].scarab’ to affected files. A ransom note with the filename ‘IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT’ is dropped within each affected directory. The misspelling of ‘support’ is present in both the modified filenames and the ransom note, and is presumably a result of the availability of email addresses on the Protonmail service,” Forcepoint explained.
“Unusually, the note does not specify the amount being demanded, instead simply stating that ‘the price depends on how fast you write to us’. This note is also automatically opened by the malware after execution.”
Although payment is required in Bitcoins, email is set as the primary communication mechanism. This was the case with NotPetya earlier in the year, but as Forcepoint explains, it can be an unreliable tactic if providers move quickly to shut the domain down. That’s why an alternative BitMessage contact is also given.
Forcepoint explained that using large botnets like Necurs can give smaller ransomware actors the global reach they need to punch above their weight.
“It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns,” it concluded.
Fortunately, despite its wide distribution, Scarab is detected by most anti-malware vendors, according to Chris Doman, security researcher at AlienVault.
“Scarab looks less sophisticated than some other ransomware like Locky, and the usage of an e-mail based ransom payment system is very simple in contrast to its wide distribution,” he added.