NetFort Advertising

How to Detect Scarab Ransomware by Monitoring Network Traffic

Along comes another one. Scarab Ransomware

Scarab Ransomware is just another in a series of Ransomware variants that appeared in 2017. It falls into the crypto Ransomware category which typically go after user data on hard drives and network shares and encrypts it. Scarab Ransomware has the typical three stage infection process:

  1. Get a user to click on a link or open an attachment infected with Malware
  2. Connect to external websites to download the actual Ransomware
  3. Encrypt the users data and leave a ransom note

The name Scarab is also associated with a family of beetles. Scarabs are stout-bodied beetles, many with bright metallic colours, measuring between 1.5 and 160 mm. They are also known as a dung beetle.

Detecting the presence of Scarab Ransomware

First spotted on November 23, the Scarab ransomware is being sent primarily to .com addresses, followed by co.uk inboxes. It was sent to millions of email addresses in the first four hours alone, according to Forcepoint. The emails are originating from hosts within the Necurs Botnet.

The unsolicited emails in question come with the well-worn “Scanned from {printer company name}” subject line and contain a 7zip attachment with a VBScript downloader. Use SMTP traffic monitoring or check the logs on your email server for any subject lines which start with “Scanned from”.

Another key indicator of Scarab Ransomware is the presence of these types of files on network shares:

  • Files with the extension “.[suupport@protonmail.com].scarab”
  • Ransom notes which are saved as text files with the name “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT”

The image below shows how our LANGuardian product detected suspicious activity on a network share by monitoring network traffic going to and from the file servers. When you monitor network traffic like this you can passively generate a list of all file and folder activity without the need for logging or agents.

Scarab Ransomware detected on a network

Watch out for an increase in file renames. A sure sign of Scarab Ransomware activity

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Scarab Ransomware strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. If the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

The video below shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware. You just need to change the file extensions to the ones mentioned earlier in this blog post.