Scarab-Glutton Ransomware Removal Guide

Scarab-Glutton Ransomware comes from Scarab Ransomware family, so more or less it acts same as the versions created before it. However, we will discuss their differences and similarities further in this article. No doubt, many users who come across such threats want to find out how they manage to enter their computers, which is why we will present the malware’s possible distribution channels too. As for our advice on what to do after receiving such a malicious program, we think it would be safest to eliminate it. There is not knowing whether the Scarab-Glutton Ransomware’s developers will hold on to their word, so there is a chance they may not help decrypt your files even if you pay a ransom. If you decide it would be best to remove it from the system, you could use the deletion instructions located below this text or a reliable security tool of your choice.

After researching Scarab-Glutton Ransomware, our researchers think the malware might be spread via malicious software installers, untrustworthy email attachments, or by exploiting the device’s weaknesses. Therefore, there might be a few things to take care of or to do if you do not wish to come across such threats next time. To begin with, you should either avoid opening doubtful email attachments and files downloaded from unreliable web pages or install a reliable security tool so you could scan all questionable data with it. Then, we would recommend getting rid of weaknesses that your computer might have, for example, outdated software, weak passwords, and so on.

This new version marks its encrypted files with .glutton extension, which is why it was named Scarab-Glutton Ransomware. Another difference is the names of the data the malware drops when settling in on the targeted computer. For instance, Scarab-Cybergod Ransomware creates a file named helper.exe in the %APPDATA% folder, while this new variant places an executable file named winupmgr.exe in the same location. What is the same is the malicious application still encrypts user’s data with a strong encryption algorithm to make it unusable. Also, it shows almost identical ransom note, although this time it is named !!!HOW TO RECOVER ENCRYPTED FILES!!!.TXT instead of From Jobe Smith.TXT (ransom note dropped by Scarab-Cybergod Ransomware). Again the message does not say how much the user is supposed to pay for getting tools to decrypt his files. The hackers merely ask to contact them via email to learn how much is it and how to make a payment.

Just as we said earlier, we would not recommend paying the ransom as by doing so you could end up being scammed. Thus, it would be wiser to think for a moment and remember if you have any backup copies you might have saved on some removable media device or cloud storage. Nevertheless, keep it in mind Scarab-Glutton Ransomware can restart with the operating system which means none of the files on the system will be safe until you eliminate this malicious program. To remove it manually you could complete the steps provided in the deletion instructions we added at the end of this page, although it might be easier to get a reliable security tool and let it erase the malware for you.

Get rid of Scarab-Glutton Ransomware

1. Tap Ctrl+Alt+Delete.
2. Select Task Manager.
3. Locate a particular process belonging to the malicious program.
4. Mark it and press End Task.
5. Exit Task Manager.
6. Open File Explorer (Win+E).
7. Go to these locations separately:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
8. Search for a suspicious file that might be the malware’s installer; right-click it and select Delete.
9. Find this location %APPDATA%
10. Search for suspicious executable files called PresentationFontCache.exe and winupmgr.exe, right-click them and choose Delete.
11. Go to %USERPROFILE%
12. Find a document called !!!HOW TO RECOVER ENCRYPTED FILES!!!.TXT.
13. Right-click it and select Delete.
14. Exit the Explorer.
15. Press Win+R and type Regedit.
16. Click OK and go to this path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
17. Find two value names: one should be called Windows Update Manager, and the other might have a random name, for example, qPidxMaDHAuA.
18.  Right-click the described value names separately and choose Delete.
19. Navigate to HKEY_CURRENT_USER\Software
20. Find a key with similar random title used before, right-click it and select Delete.
21. Exit your Registry Editor.
22. Empty Recycle bin.
23. Reboot the device.