This week, cyber security experts has received reports of yet another ransomware called Scarab ransomware. This virus spreads via spam emails and malware files and appends the .scarab extension to encrypted files. At the current time there are other versions of Scarab ransomware. These variants of this ransomware can add the following extensions to the encrypted files:
- .[unlocking.guarantee@aol.com]
- .xmail@cock.li
- .[suupport@protonmail.com].scarab
- .[Help-Mails@Ya.Ru].Scorpio
- .please
- .walker
- .osk
- .infovip@airmail.cc
- .fastrecovery@xmpp.jp
- .oneway
- .bomber
- .fastsupport@xmpp.jp
- .[resque@plague.desi].scarab
What is Scarab ransomware? Scarab ransomware is a variant of crypto viruses. It affects all current versions of Microsoft Windows OS such as the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This virus uses strong encryption method to eliminate the possibility of brute force a key that will allow to decrypt encrypted photos, documents and music. The Scarab ransomware encrypts almost of files, including common as:
.7z, .xwp, .wmd, .w3x, .wpa, .sav, .syncdb, .dwg, .rar, .ai, .1st, .pptm, .xlsm, .wpe, .bar, .sidd, .wire, .psd, .pem, .crt, .ntl, .wsc, .raw, .sis, .ods, .ws, .upk, .flv, .t12, .tor, .sum, .avi, .bay, .pef, .m3u, .wbc, .rim, .docm, .3fr, .gho, .der, .arw, .asset, .1, .png, .wma, .xbdoc, .dazip, .wpg, .jpe, .esm, .wma, .cdr, .lbf, .xbplate, .apk, .xdb, .wmf, .epk, .tax, .dba, .xls, .z, .pst, .dcr, .qdf, .vpp_pc, .xlsx, .wot, .rb, .kdc, .srf, .pdd, .icxs, .fsh, .xf, .vcf, .itl, .mov, .md, .data, .bik, .sidn, .mpqge, .fos, .p7b, .wdp, .py, .iwd, .cr2, .sql, .txt, .xmind, .wb2, .sb, .db0, .das, .raf, .xyp, .mp4, .m2, .css, .ptx, .wcf, .dbf, .xlsm, .layout, .wbk, .dxg, .xll, .iwi, .forge, .qic, .xls, .zif, .wav, .re4, .orf, .3ds, .wpd, .erf, .wpd, .psk, .cas, .mcmeta, .webp, .wp5, .bkf, .itm, .bc7, .wpt, .wpw, .wmv, .bsa, .lrf, .pfx, .rw2, .rgss3a, .zip, .rofl, .xlsb, .xx, .bc6, .mrwref, .wp4, .0, .pak, .xy3, .menu, .wdb, .csv, .zw, .p12, .blob, .pdf, .3dm, .itdb, .sr2, .r3d, .accdb, .ztmp, .ybk, .srw, .yml, .arch00, .wbd, .crw, .x, .ibank, .vdf, .odc, .xld, .xlk, .xar, .ncf, .xlsx, .sid, .zi, .wps, .kf, .wps, .cfr, .vpk, .doc, .zabw, .odp, .wsd, .wp6, .svg, .indd, .mdf, .mdbackup, .kdb, .wm, .eps, .mlx, .zip, .x3f, .xdl, .xpm, .wsh, .desc, .xml, .2bp, .rwl, .slm, .xyw, .hkx, .x3f, .d3dbsp, .jpeg, .xlgc, .vfs0, .hplg, .wmo, .ltx, .vtf, .nrw, .zdb, .lvl, .xxx, .map, .m4a, .ppt, .webdoc, .rtf, .zdc, .sie, .wbz, .snx, .dng, .wp7, .big, .x3d, .pptx, .wp, .mdb, .wn, .jpg, .y, .bkp, .js, .ysp, .wpl, .cer, .wgz, wallet, .ff, .lite, .mod, .wri, .pkpass, .wot, .replay, .gdb, .hvpl, .fpk, .hkdb, .odm, .wbm, .z3d, .p7c, .wmv, .dmp, .wbmp, .yal, .t13, .odt
When encrypting a file it will add the .scarab extension (or other extension) to each encrypted file name to identify that the file has been encrypted. For example, a file named sample.doc
would be encrypted and renamed to sample.doc.scarab
. Once the process is finished, it will drop a file with ransom demanding message. It includes instructions on how to purchase a private key to decrypt all files. You can see an one of the variants of the ransom demanding message below:
*** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS ***
Your files are now encrypted!
All your files have been encrypted due to a security problem with your PC.Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: suupport@protonmail.comFree decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).
The ransom demanding message offers victim to contact Scarab’s developers in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. Especially since you have a chance to recover your documents, photos and music for free using utilities such as ShadowExplorer and PhotoRec. Moreover, Dr.Web antivirus company created Scarab ransomware decryptor that may be able to decrypt some variants of Scarab ransomware.
Therefore it is very important to follow the guidance below immediately. The guidance will assist you to delete Scarab ransomware. What is more, the step-by-step tutorial below will allow you recover encrypted files for free.
Quick Links
- Scarab ransomware decryptor
- Scarab ransomware removal
- How to restore .scarab files
- How to prevent your machine from becoming infected by Scarab ransomware virus?
- To sum up
Scarab ransomware decryptor
You will need to contact Dr. Web antivirus company for help with .scarab files decryption. They do charge a fee, if you were not a Dr. Web antivirus customer at the time of ransomware attack and they are able to decrypt it. Use the link below.
https://support.drweb.com/new/free_unlocker/for_decode/
Except for Scarab ransomware decryptor that was made by the Dr. Web antivirus company, at the moment there is no other free way to decrypt .scarab files. But you have a chance to restore .scarab files for free.
Scarab ransomware removal
In order to remove Scarab ransomware from your PC system, you need to stop all ransomware processes and delete its associated files including Windows registry entries. If any virus components are left on the computer, the ransomware can reinstall itself the next time the system boots up. Usually ransomwares uses random name consist of characters and numbers that makes a manual removal process very difficult. We suggest you to run a free ransomware virus removal utilities that will help remove Scarab virus from your PC system. Below you can found a few popular malware removers that detects various ransomware.
Remove Scarab ransomware with Zemana Anti-malware
You can remove Scarab ransomware virus automatically with a help of Zemana Anti-malware. We recommend this malware removal utility because it may easily remove ransomware viruss, potentially unwanted programs, adware and toolbars with all their components such as folders, files and registry entries.
- Download Zemana Anti-Malware by clicking on the link below.
Zemana AntiMalware
164030 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web-browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
- After the downloading process is complete, please close all applications and open windows on your personal computer. Next, start a file named Zemana.AntiMalware.Setup.
- This will run the “Setup wizard” of Zemana Anti Malware (ZAM) onto your computer. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana will launch and display the main window.
- Further, press the “Scan” button . Zemana utility will begin scanning the whole PC to find out Scarab ransomware virus related files, folders and registry keys. Depending on your computer, the scan may take anywhere from a few minutes to close to an hour. When a threat is found, the number of the security threats will change accordingly. Wait until the the checking is complete.
- As the scanning ends, Zemana Anti-Malware (ZAM) will display you the results.
- Once you have selected what you want to delete from your PC system click the “Next” button. The utility will get rid of Scarab ransomware and other kinds of potential threats like malicious software and PUPs and move threats to the program’s quarantine. Once disinfection is complete, you may be prompted to restart the system.
- Close the Zemana Anti-Malware and continue with the next step.
Remove Scarab ransomware with Malwarebytes
Manual Scarab ransomware virus removal requires some computer skills. Some files and registry entries that created by the virus can be not completely removed. We recommend that run the Malwarebytes Free that are completely clean your computer of virus. Moreover, the free program will help you to remove malicious software, potentially unwanted applications, adware and toolbars that your system can be infected too.
Visit the page linked below to download MalwareBytes. Save it on your MS Windows desktop.
326382 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once downloading is done, close all applications and windows on your PC system. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as shown in the following example.
When the setup starts, you will see the “Setup wizard” that will help you install Malwarebytes on your system.
Once setup is finished, you’ll see window as shown on the image below.
Now press the “Scan Now” button for scanning your computer for the Scarab virus and other security threats. This process can take some time, so please be patient. When a malware, adware or potentially unwanted software are found, the number of the security threats will change accordingly.
Once the scan is finished, MalwareBytes will display a list of found threats. Review the scan results and then click “Quarantine Selected” button.
The Malwarebytes will now get rid of Scarab ransomware related files, folders and registry keys and add threats to the Quarantine. When the task is finished, you may be prompted to reboot your system.
The following video explains tutorial on how to remove browser hijacker infection, adware and other malicious software with MalwareBytes Anti-Malware.
Remove Scarab ransomware with KVRT
KVRT is a free portable application that scans your PC system for adware, potentially unwanted apps and viruses like the Scarab ransomware and helps remove them easily. Moreover, it’ll also allow you remove any malicious web browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) from the link below.
129055 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is finished, double-click on the KVRT icon. Once initialization procedure is finished, you will see the KVRT screen as displayed in the following example.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool will scan through the whole PC system for the Scarab ransomware and other trojans and malicious software. This process can take some time, so please be patient. While the KVRT application is scanning, you can see how many objects it has identified as threat.
After the scan get finished, Kaspersky virus removal tool will display a scan report as shown on the image below.
Once you have selected what you wish to remove from your computer click on Continue to begin a cleaning task.
How to restore .scarab files
In some cases, you can recover files encrypted by Scarab ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Use shadow copies to recover .scarab files
In some cases, you have a chance to recover your documents, photos and music which were encrypted by the Scarab virus. This is possible due to the use of the utility named ShadowExplorer. It is a free application that designed to obtain ‘shadow copies’ of files.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer on your system from the following link.
438663 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is finished, extract the saved file to a folder on your personal computer. This will create the necessary files as shown in the figure below.
Run the ShadowExplorerPortable program. Now select the date (2) that you wish to restore from and the drive (1) you wish to restore files (folders) from as shown in the figure below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as displayed in the figure below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Use PhotoRec to restore .scarab files
Before a file is encrypted, the Scarab ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file restore applications like PhotoRec.
Download PhotoRec by clicking on the link below. Save it on your Windows desktop.
After downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen as displayed in the figure below.
Choose a drive to recover as shown in the following example.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as on the image below.
Click File Formats button and choose file types to restore. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, click Browse button to select where restored photos, documents and music should be written, then press Search.
Count of restored files is updated in real time. All recovered files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as displayed on the screen below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to prevent your machine from becoming infected by Scarab ransomware virus?
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your PC system from Scarab ransomware virus
Download CryptoPrevent on your MS Windows Desktop from the link below.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is finished, you will be shown a window where you can choose a level of protection, as shown below.
Now click the Apply button to activate the protection.
To sum up
After completing the steps shown above, your computer should be free from Scarab ransomware and other malicious software. Your PC will no longer encrypt your photos, documents and music. Unfortunately, if the tutorial does not help you, then you have caught a new variant of Scarab ransomware virus, and then the best way – ask for help here.