If your operating system does not have a great defense mechanism, it might be a matter of time before the devious Scarab Ransomware finds its way in. Once it does, it immediately encrypts your files. The infection primarily encrypts files that are considered personal (e.g., photos and text files), but that depends on the files that are actually stored on your PC. After encryption, it immediately removes shadow volume copies (calls “vssadmin Delete Shadows /All /Quiet” command), and that is supposed to stop you from recovering your files manually. The ransomware also creates a TXT file to explain the situation and to demand a ransom payment. According to our researchers, the infection should erase itself after that, but if it does not, we can help you delete Scarab Ransomware. Read this report to fully understand the infection, and then follow the instructions presented below.
Even if you are not tech-savvy, and you do not follow virtual security news, you must know about Petya Ransomware, WannaCry Ransomware, and other infamous infections that are known for invading operating system and encrypting the files found on them. Scarab Ransomware is not that much different from these well-known threats. Although it is spread on a much lower scale, finding it on your PC is no walk in the park. First of all, if this threat has encrypted your files – you can identify these files by the “.[email@example.com].scarab” extension – the chances are that these files are lost for good. Although the creator of Scarab Ransomware promises to decrypt your files via the ransom note it creates, these promises are most likely to be empty. In many cases, ransomware creators do not even have the technical capabilities to decrypt files, and in other cases, cyber criminals are simply not interested in assisting users. Unfortunately, once the ransomware is in, the user is really backed up into a corner, and, in many cases, paying the ransom is the only option.
“IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” is the file that Scarab Ransomware uses to introduce its victims to the ransom payment. The original location of the file should be the %USERPROFILE% folder, but copies should be scattered all across the PC. It is also interesting that this file has a PoE registry entry, which it shares with the PoE of the ransomware launcher. Once the launcher is executed and the files are encrypted, the PoE is modified to represent the TXT file. The name of this registry entry is a combination of random letters and numbers in a CLSID format. The ransom note file provides you with instructions that, allegedly, can help you get your files decrypted. At the top of the file, a monstrous ID number is displayed. This is the number you are asked to send to firstname.lastname@example.org, which, of course, is the same email address that you can see on the extension attached to the encrypted files. It is suggested that once you send the ID, the creator of Scarab Ransomware will then send you details regarding the payment (e.g., the ransom amount and the Bitcoin address). We do not recommend following the demands of cyber criminals, and we certainly do not recommend paying the ransom.
Do you trust cyber criminals to help you decrypt your files if you do as told? Well, it is more likely that you will lose your money and your files by doing that. Of course, if the ransom demanded in return of a decryptor/decryption key is minuscule – and that is unlikely to be the case – you might choose to pay it despite the risk. If this is the path you choose, remember that you have to be very careful when communicating with cyber criminals. Do not use your regular email address and do not share private information. In the end, you MUST clean your operating system and strengthen its protection. You can do both by installing an anti-malware tool. It will ensure reliable protection, and it will remove Scarab Ransomware; if it has not erased itself already. If you are curious about manual removal, check out this guide.