Scarab Ransomware

What is Scarab Ransomware?

Scarab Ransomware is a vicious file-encrypting malware since it not only encrypts your valuable data with a secure cryptosystem but also deletes shadow copies. As a result, all the affected files become unusable, and without the shadow copies, it becomes impossible to restore them. On top of that the user should receive a ransom note saying there is a decryption key, which could restore encrypted files, but to get it you would have to pay a ransom. Needless to say, by paying the ransom, you would fund the cyber criminals behind Scarab Ransomware, and because there are no guarantees you will get this decryption key it is entirely possible you could lose the transferred money completely in vain. Therefore, instead of contacting the threat’s creators, we advise you to concentrate on the infection’s removal. The instructions placed below will tell where the malicious files could be and show you how to erase them too.

Where does Scarab Ransomware come from?

In some cases, threats like Scarab Ransomware are distributed through infected email attachments, malicious software installers, fake updates, and so on. Thus, the computer gets infected after the user opens the malware’s launcher himself. However, our researchers at Anti-spyware-101.com report that this time the cyber criminals could be infecting their victims’ computers themselves by exploiting insecure RDP connections. It means the hacker may get access to the targeted system, drop the malicious application’s launcher and open it without the user noticing anything. If you believe this might have happened in your case, we advise you to find your system’s vulnerabilities and eliminate them as soon as possible.

How does Scarab Ransomware work?

The moment your computer gets infected the malware should create a copy of its launcher in the %APPDATA% folder, for example, the sample our researchers tested dropped an executable file named sevnz.exe. Afterward, the malicious application may add a Registry entry in the HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce directory. Its value name should be a CLSID type title (e.g. {45E73A27-D16C-4EDB-ADE8-0C069E54AF30}). Besides these files, Scarab Ransomware should also place a ransom note in the %USERPROFILE% directory and create another Registry entry with a CLSID type value name in the already mentioned path. In addition, the malware might create more ransom note’s copies in folders where it encrypts your data, but this should happen only after the encryption process comes to an end.

Furthermore, files that get locked should be marked by a particular extension called .[resque@plague.desi].scarab (e.g. picture.jpg.[resque@plague.desi].scarab). According to the ransom note, they can be unlocked with a unique decryption key, but to get it the cyber criminals demand to contact them for further instructions. Apparently, they wish to receive a payment in Bitcoins. Just as we said in the first paragraph, your files might remain encrypted even if you pay the ransom; the difference is that in such case you would lose transferred money in addition to locked data.

How to erase Scarab Ransomware?

Some of the malware’s data is supposed to be deleted automatically, but the malicious application could be updated with time, and it may start acting differently. Consequently, it is advisable to check all locations where Scarab Ransomware placed its data after the computer got infected. The instructions available below this paragraph should help you find these directories and get rid of suspicious data. If this process seems a bit complicated to you even while following our provided steps we recommend getting a legitimate antimalware tool instead. After it is installed, the user should launch the tool and start a system scan. Give it some time to scan your computer, and when it is done you could erase all located threats at the same time with one mouse click.

Remove Scarab Ransomware

1. Tap Windows key+E.
2. Check the given folders one by one:
   %TEMP%
   %APPDATA%
   %USERPROFILE%\desktop
   %USERPROFILE%\downloads
3. Look for files belonging to the infection, then right-click them and press Delete.
4. Navigate to %USERPROFILE% again and erase the text file called IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT by right-clicking it and selecting Delete.
5. Then remove the rest of ransom notes and close your File Explorer.
6. Empty Recycle bin.
7. Restart the system. Download Removal Tool100% FREE spyware scan and
   tested removal of Scarab Ransomware*