The attackers behind this form of file-encrypting malware — which has similarities with Locky — think that if the victim can set their own price, they’re more likely to pay.
A new form of ransomware, which shares similarities with Locky, allows its victims to negotiate the price for retrieving their encrypted files.
Scarab ransomware was first uncovered in June, but during November, it was suddenly distributed in millions of spam emails, according to researchers at Fortinet. The emails were distributed by Necurs, the botnet infamous for spreading the highly-successful Locky ransomware.
The file-encrypting malware is deployed when the victim runs a VBScript application contained within a malicious email, which retrieves Scarab from payload websites. Researchers at PhishMe said the script contains similarities to the mechanism used to deliver Locky.
Those behind Scarab have also chosen to fill the source code of the ransomware with what appear to be references to Game of Thrones character Jon Snow.
Once installed and executed on the victim’s computer, the malware will connect to a website that provides the attacker with the victim’s IP address and other machine information — likely to aid the attacker in keeping track of victims.
Even if the machine is taken offline during the process, the ransomware still encrypts the files with the .scarab file extension and presents the victim with a ransom note.
But rather than demanding a set fee to release the files, the attackers behind Scarab ask the victims to email them in order to negotiate a payment in bitcoin — the cryptocurrency often used by attackers to collect ransom payments.
The use of an email address suggests the attackers aren’t as sophisticated as those behind other forms of ransomware. However, they do seem to be working to the theory that if they allow the victim to set their own price for the ransom, they’re more likely to receive a payment.
“The negotiation process encouraged by the Scarab ransomware is particularly interesting. While entering into negotiations definitely makes it more likely that a ransom of some kind will be paid, it also allows them to fluctuate demands depending on the value of bitcoin at that time,” said Aaron Higbee, co-founder and CTO of PhishMe.
Researchers suggest the rise in the value of bitcoin has played a part in the shift to using this tactic. A fee of around one bitcoin was often set as the ransom demand during 2016, when the value of bitcoin was under $1000. At the time of writing, one bitcoin is worth over $16,000.
Attackers are likely to understand the average victim isn’t going to have the funds to pay this fee, so by allowing the victim to suggest a price, those behind Scarab are more likely to guarantee a payday for their criminal work.
Those behind Scarab also attempt to show they can be trusted to hold up their end of the malicious deal with the use of a common tactic of ransomware distributors: offering to decrypt some files for free. They also provide instructions on how to obtain bitcoin in order so that they can receive payment from victims.
However, these aren’t acts of community spirit. The attackers are criminals who are looking for profit by extorting a payment out of the unfortunate victim — a reality hammered home by the ransom note, which says: “Decryption of your files with the help of third parties may cause an increased price.” The attackers also add that by trying to use decryption tools, the victim “can become a victim of a scam”.
Researchers are currently unsure if Scarab will be a temporary ransomware campaign — like Jaff — or if it will become a long-standing threat like Locky.