Necurs has something in the range of five to six million infected hosts online monthly, according to F-Secure. Its service model has the entire infection chain, from spam emails with malicious malware downloader attachments, to hosting payloads on compromised websites.
The emails arrive with subject lines like "Scanned from (Lexmark/HP/Canon/Epson)”. The attachment is named as “image2017-11-23-(7 random digits).7z“ and contains a VBScript downloader that pulls down the Scarab ransomware.
Security firm Forcepoint said it had noticed about 12.5 million emails of this kind in six hours beginning at 7.30GMT on Thursday.
F-Secure said the Scarab ransomware was relatively new and was observed last June, with its code being based on the open source “ransomware proof-of-concept” called HiddenTear.
The latest version has no change in filenames, but appends a new file extension to the encrypted files with “.[firstname.lastname@example.org].scarab”.
The ransom note reads:
Forcepoint said that as with previous Necurs campaigns, the VBScript contained a number of references to Game of Thrones.
It said that the Scarab ransomware that was dropped had the file name sevnz.exe.
"Once installed it proceeds to encrypt files, adding the extension “.[email@example.com].scarab” to affected files. A ransom note with the filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” is dropped within each affected directory," the company said.
"The misspelling of 'support' is present in both the modified filenames and the ransom note, and is presumably a result of the availability of email addresses on the Protonmail service.
"Unusually, the note does not specify the amount being demanded, instead simply stating that "the price depends on how fast you write to us". This note is also automatically opened by the malware after execution."
Graphic: courtesy Forcepoint. Screenshot: courtesy F-Secure