Scarab

Scarab is a ransomware strain that encrypts files and locks access until a ransom is paid. Victims typically receive a text file with instructions on contacting the attackers, often requiring payment in Bitcoin. Without the decryption key, recovery is nearly impossible. Similar to ransomware families like ElmersGlue and GlobeImposter, Scarab demonstrates both widespread and targeted attack methods, constantly evolving to breach defenses.

Key Insights

Scarab first appeared in 2017 and gained traction through the Necurs botnet, one of the largest spam distribution networks at the time. The ransomware reached millions of users globally, often delivered via malicious email attachments. These emails disguised their payload as legitimate files, luring victims into enabling the encryption process. Once executed, Scarab appended extensions like '.scarab' to encrypted files and left a ransom note detailing payment instructions.

Transition to Targeted Attacks

Over time, Scarab transitioned to more targeted strategies, evidenced by variants like Scarabey. This version specifically exploited Remote Desktop Protocol (RDP) vulnerabilities to infect systems in Russia. Scarabey also introduced a more aggressive tactic, threatening to delete encrypted files gradually unless victims paid promptly. This demonstrated Scarab’s adaptability, evolving from mass infections to precision-focused campaigns.

Deployment by Advanced Threat Groups

More recently, Scarab has been associated with the CosmicBeetle group, which employs the Spacecolon toolkit to distribute ransomware. This toolkit exploits weak RDP credentials and vulnerable servers to spread Scarab variants across industries. Victims span sectors such as healthcare, education, and government, underscoring its global reach and versatility in attacking different targets

Known Variants

Scarabey: A variant focused on Russian users, leveraging RDP attacks to infiltrate systems. ScRansom: Shares many characteristics with Scarab and is distributed through the Spacecolon toolkit. GlobeImposter: Exhibits similar encryption techniques and ransom delivery mechanisms.

Mitigation Strategies

Regularly update software and apply security patches to close vulnerabilities.
Enforce strong passwords and enable multi-factor authentication on all accounts.
Maintain offline backups of critical systems and test recovery processes.
Train employees to identify phishing emails and suspicious file attachments.

Targeted Industries or Sectors

Healthcare: Hospitals and private practices are frequent targets. Government: Local, state, and national agencies face significant risks. Education: Universities and schools have been impacted by Scarab attacks. Hospitality: Hotels, resorts, and travel companies are often targeted. Insurance: Brokers and companies handling sensitive financial data.

Associated Threat Actors

"CosmicBeetle: Operators using the Spacecolon toolkit for ransomware deployment. Scarab APT: Believed to be an advanced persistent threat group active since at least 2012."