Bitcoin Ransomware Email Campaign Hits Over 12.5 Million Users

Crime, News | November 28, 2017 By:

Cybersecurity firm Forcepoint has warned of a new major ransomware campaign called “Scarab.” The campaign used a botnet known as Necurs, one of the biggest computer botnets in the world, to spread out more than 12.5 million emails containing the ransomware.

A botnet is a collection of Internet-connected devices, which may include computers, servers, mobile devices and Internet of Things (IoT) devices that are infected and controlled by a common type of malware. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allow the attacker access to the device and its connection.

The Scarab campaign started on November 23 and within the first six hours had circulated millions of ransomware emails, with more than two million emails being sent out per hour at its height. The majority of the traffic is being sent to the .com top-level domain (TLD), followed by region-specific TLDs for the United Kingdom, Australia, France, and Germany.

Forcepoint said the email uses the subject “Scanned from {printer company name}” and contain a 7zip attachment with a VBScript downloader. The VBScript contained a number of Game of Thrones references, in particular the strings “Samwell” and “JohnSnow”. Once an attached 7zip is downloaded and opened, the VBS file starts downloading the latest version of the Scarab ransomware and encrypts all the files on the target computer.

After the encryption process ends, the malware displays a ransomware message, which is automatically opened by the malware after execution on the victim’s desktop, instructing the victim on how to pay for the decryption key. The Scarab ransomware is demanding a ransom in bitcoin. The message does not specify the amount being demanded, instead simply stating that “the price depends on how fast you write to us.” Scarab used an email-based payment system and provided a secondary contact mechanism via BitMessage should the email address become unavailable.

“Once installed, it proceeds to encrypt files, adding the extension “.[suupport@protonmail.com].scarab” to affected files,” Forcepoint said. “A ransom note with the filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” (Figure 5, below) is dropped within each affected directory. The misspelling of “support” is present in both the modified filenames and the ransom note, and is presumably a result of the availability of email addresses on the Protonmail service.”

Back in May, the WannaCry ransomware shut down hospitals, telecom providers, and many businesses worldwide, infecting an estimated 200,000 computers in more than 150 countries, encrypting files and then charging victims $300-$600 in bitcoin to decrypt the files. WannaCry made $140,000 in bitcoins from the victims who paid for the decryption keys.

In August, Locky ransomware sent out more than 23 million emails containing a malware in just 24 hours across the United States, making it one of the largest malware campaigns in the second half of the year. The ransomware demanded a sum of 0.5 bitcoin from victims to pay for a “Locky decryptor” in order to get their files back.