
Over the US Thanksgiving holiday, PhishMe Intelligence observed a recent ransomware campaign, Scarab, that shares some similarities in behavior and distribution with Locky. In this campaign, Scarab was delivered by the Necurs botnet, which made headlines due to its distribution of Locky, which was one of the most prolific ransomware families of 2016 and 2017. Like Locky, Scarab can encrypt targets via both online and offline encryption.
Scarab differs from Locky in two notable ways. First, Scarab does not present a ransom amount with its encryption message, instead it provides instructions to the victims for how to negotiate with the operators. Second, Scarab reports newly infected machines via a service that collects click statistics on opened or viewed artifacts, as opposed to using command and control resources as Locky does.
The Scarab ransomware is deployed when the victim executes an initial VBScript application, directing victim machines to payload websites from...(continued)