New ransomware – named Scarab – has been observed by PhishMe. While it shares some similarities in behaviour and distribution with Locky, there are also some distinct differences. First, Scarab does not present a ransom amount with its encryption message, instead it instructs victims on how to negotiate with the operators. Second, Scarab reports newly infected machines via a service that collects click statistics on opened or viewed artifacts, as opposed to using command and control resources.
Aaron Higbee, co-founder and CTO of PhishMe, comments:
“It is unsurprising that hackers would use similar characteristics to one of 2016’s most prolific malware campaigns in the new Scarab campaign – even down to the Game of Thrones references. In some ways, this will make security teams better prepared should they face a Scarab ransomware attack, but given the persistence and disruption caused by Locky, makes it even more important to understand how the ransomware differs.
“The negotiation process encouraged by the Scarab ransomware is particularly interesting. While entering into negotiations definitely makes it more likely that a ransom of some kind will be paid, it also allows them to fluctuate demands depending on the value of Bitcoin at that time.
“Taking note of the evolution of ransomware is vitally important to bolster the knowledge of security teams in preparation for the next attack. To have a full picture, however, employees need to be encouraged to identify and report potential attacks, as without this first line of defence, the damage may have already been done.”