New variant of Scarab ransomware threatens to shred 24 documents every day until you pay

Pay up or the documents get it, threatens new Russian ransomware

Security researchers have discovered a new variant of the Scarab ransomware, which threatens to delete 24 documents every 24 hours from victims' PCs unless - or until - they pay the ransom.

In June 2017, security researchers identified the cryptocurrency ransomware, but it has since gone on to generate new variants, making it even more potent.

According to Malwarebytes, the most widespread version of Scarab tapped into the Necurs botnet and were written in Visual C. But in December 2017, they found a new version that's using an alternative payload code.

Dubbed Scarabey, the ransomware encrypts files before demanding a hefty Bitcoin sum. However, hackers are not distributing it via Necurs, which has something of a "heritage" in spam.

The malicious code is written in Delphi without the C++ packaging that Scarab has and the content and language of the ransom notes are different

"Instead of being distributed via Necurs malspam like the original Scarab, Scarabey was found targeting Russian users and being distributed via RDP/manual dropping on servers and systems," claimed Malwarebytes in a Threat Analysis.

"In addition, Scarabey seems to not be packed in any samples we have come across. The malicious code is written in Delphi without the C++ packaging that Scarab has and the content and language of the ransom notes are different for each," said the firm.

Another major difference is the language of the ransom note and the encryption message tactic. The ransom note for Scarab is translated into English, but has poor English grammar and syntax.

Scarabey, though, is written completely written in Russian. "What's interesting is that when you throw the Scarabey note into Google translate, it contains the same grammatical errors as the [original] Scarab note," said Malwarebytes.

"This is more proof that that the authors of Scarab are likely Russian speakers who had written the note in their native language and run it through a translator to be added into the Scarab code.

When you throw the Scarabey note into Google translate, it contains the same grammatical errors as the Scarab note

"It would then seem quite likely that, since they decided to target Russians, they released the Scarabey note in their native language to cover more victims."

The original version of Scarab warns victims that the longer they wait, the higher the price will go. Scarabey tells users that they will lose more files for every day that they refuse to pay the ransom. However, the malware doesn't provide any backdoor access making this threat questionable.

"Essentially, the criminals are implying that they have copies of the unencrypted files to give back to the user, or that they have control of the victim computer to delete files," explained Malwarebytes.

"The conclusion here is that the deletion of files or the idea that the malware authors have access to delete files is purely a scare tactic used to urge users into sending money quickly."

Aside from the linguistic elements of the ransomware, Malwarebytes said these variants are "almost byte-for-byte identical".