Scarab ransomware is distributed to targets through phishing emails being served by the Necurs botnet. The malicious code arrives disguised as a scanned image or similarly plausible file attachment. Its goal: to entice unsuspecting targets to click the file and trigger the attack.
VIDEO: Watch Cylance go head-to-head with Scarab ransomware:
VIDEO: Cylance vs. Scarab Ransomware
Within the attachment lies a VBS downloader which is used to download the ransomware payload.
Scarab nests in the system registry where it hides from traditional security software. It launches a Microsoft HTA application which then executes a script that hooks Scarab into the following Windows registry key:
Figure 2: mshta.exe executes a script that hooks Scarab into HKEY\LOCAL_MACHINE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
After hooking itself into the Windows registry, Scarab calls another script to erase its tracks. It uses the same trick, launching a Microsoft HTA application which executes the script:
Figure 3: One simple call to DeleteFile and this culprit will be well hidden in your infrastructure
Once embedded in your system, Scarab goes on the offensive. It crawls through the target system encrypting personal files and appending them with support(at)protonmail(dot)com(dot)scarab.
The following ransom note displays once the files are hostage:
Figure 4: If you see this note, SCARAB has won.
With Script Control enabled, CylancePROTECT prevents the VBS downloader Script from downloading the payload, as seen below:
Figure 5: Scarab never had a chance against CylancePROTECT.
Even without Script Control enabled, the payload - should it find its way into the environment - is quarantined prior to execution:
Malware Harvesting Websites: