Security experts have recently discovered a new version of Scarab ransomware. What’s unique about the new ransomware is that it does not spread through e-mails. Instead, cybercriminals are using brute force technique to manually install it on systems that do not have a secure RDP connection.
The new version of the Scarab ransomware is codenamed Scarabey. This latest incarnation of the malicious code is of the same size as the older version that was released on June 13 last year, according to a report by Malwarebytes. However, there are certain major differences that have been spotted by security experts.
Differences Between Scarabey and Scarab Ransomware
Scarabey is written in Russian, unlike the previous version that was written in English. This suggests that the new ransomware targets Russian corporations. Another difference is that Scarabey has been compiled using Delphi, while the previous version was Visual C compiled.
Lastly, Scarabey has a new mechanism of action in terrorizing the victims. The ransomware informs the victims that if the ransom is not paid, it will delete 24 files after every 24 hours until the hard drive have been completely wiped out. On the other hand, the previous version informed victims that the ransom fee will increase if not paid after a certain period.
So, how were the security experts able to link the two?
The clue lies in the ransom notes and the modus operandi of the two ransomwares.
A Close Look at the Incriminating Evidence
The ransom note of Scarabey that is written in Russian is an exact translation of the previous ransom note written in English. There were glaring grammatical errors in the original note. The same mistakes are present when you translate the Russian ransom note using Google Translate.
This is clear proof that the latest ransomware is a variant of the Scarab ransomware.
In addition, similar to the previous ransomware, the Trojan does not actually delete the files as claimed in the ransom note. In addition, the ransomware does not create any backup of the files; it just encrypts the files. The encrypted files have the .scarab extension similar to the previous version.
Made to Blackmail Russian Businessmen
Experts say that the new version of Scarab ransomware has been created solely to blackmail Russian businessmen. They say that the ransomware poses threat to a small segment and cannot be deployed on a large scale similar to the WannaCry and other ransomwares that had wreaked havoc at a global scale.
The ransomware targets computers with RDP ports that are mainly encountered at the enterprise level. These ports are used for remote administration of the systems. They are not used by many enterprises in the Western Block.
Scarab ransomware was released in June last year and spread on a large-scale through an e-mail campaign. The massive distributions campaign was launched about five months after launch. This means that it’s possible that we could see a mass-distribution of this ransomware in the coming months.
Companies should take measures to protect their systems from the latest threat by reviewing the existing RDP policies. They need to take active measures to secure the system from the Trojan. Making regular backups of critical files is essential to avoid harm in case the system is hijacked by ransomware.