classiccor83

Scarab infection, .sfs, HOW TO RECOVER ENCRYPTED FILES.TXT

Recommended Posts

Hello, 

 

I was the victim of an RDP Scarab trojan early this morning that has encrypted all the files on my hard drives and NAS with the ".sfs" file suffix.

 

I have ran malwarebytes and that has cleared up a few files and a few registry changes also a complete scan of NOD32 has also cleaned a few things up.

 

I 1st noticed the issue when my computer was logged out this morning  as it's never logged out, I had to use a usb boot tool to change my password as it had been changed and when doing this I noticed a new user account called "localadmin" I changed the password to that and also disabled the account just in case. When I finally managed to log in I noticed that the following pieces of software had been uninstalled:

  • teamviewer
  • ESET Nod32
  • Malwarebytes

Also my firewall had been disabled and the onedrive client installed, I fixed those issues and then restarted as requested by malwarebytes. Once logged back in my torrent client auto started and advised me that essentially every torrent had missing files, so I checked locations and noticed all my media, movies, anime etc had the ".sfs" added to the file names and that's when I noticed the "HOW TO RECOVER ENCRYPTED FILES.TXT" in 1 of the folders, the following is what's in the document:

 

 
"                                 HOW TO RECOVER ENCRYPTED FILES
 
   Hello, my friend!
 
   All your files have been encrypted.
 
>>> Your personal ID: >>>
 
pAQAAAAAAADbUkxqJZSJ70MkDAR=sfPwyazMIn6sCB1ZIj27f1dOspHw8laKO8aZq+EmPio2susIqx5cpt4svG3J59qpWopli7N0
Fm+3r7XbWVLuJaz1lv+G4gihobaJq7eLu3H1+Spfn0UaTXrPfzoqKTTbeerL6NX0KfnT8nypTArenMeopfWNH0xW+TgvBfac1n6C
47h23ft1nSWv+O7PDCUrFo5XIADnyv5hndtNnNVovQbYg43lb3EM4J3ANHpWoZoTbY1E4lCf2uS3hbGcu9MQuCaD06HBsy0BW0RB
DFb9cmdiUakKZG5VfmngLBmHoJk3=YYTAW8BtiCWXElItIUmwbct=zB0PlmE6+401ho7xOM507ZOhBIclQvhIbEcMBOPc1Icas7P
7h5ChqaCUaIFfm0=5IGpIdI2RI8uhmiHMYaAziHKAmF5B8CJAPJQqai0FBACcyz4HbKTaRTSj6xmIo8vd957D40Ez136BYcKuIHz
mi0KujT4CZnMBr2BTpAPUO4LGAt0PEtcB5q0j+IFQUVGLWmuCSGuEaxow40K425hnM3iERNGcI3b9pXEjN5ye0dup6IC4LCZiCop
gA9gPiIUaI8fhW5H6FVPKacQQVIHhq+y7JJPBO4T9u3=EaCC5lCMU1mxY+M+KuFnWDYTa740hAR5sDiJn4UF9k8OI7ErJCEK2ZIw
EklKNO8=jEiC7SmYMRqr58cA3Zf7ELG9aSPG2nM0gkNct4shUYFJYhDZG3AzfoVchW5BcIFI=1l75D9Z2PDWssqBQXA7QfkzHirb
zDOEo0IkRE3OzCpxn7kBzLoQ6FSw3FE+9OQRoQDMdJFk8fzxAQ
 
 
   If you want to recovery your files, send us e-mail with your personal ID and 1-2 test files (image or text,
   non archived, total size of files must be less than 10Mb).
 
>>> Contacts: >>>
 
 
   Use please both e-mail addresses.
   If your mail server doesn't send e-mail to our contacts, we recommended you to create
   an e-mail on Protonmail.com (https://protonmail.com).
 
>>> ATTENTION! >>>
 
   * Do not rename encrypted files. 
   * Do not try to decrypt your data using third party software, it may cause permanent data loss.  
   * Decryption of your files with the help of third parties may cause increased price  
     (they add their fee to our) or you can become a victim of a scam."

 

 

I have read a few topics on the forums and lead me to check the ransom id site to confirm I had been infected with Scarab. I have also submitted a ticket with ESET to see if their decryption tool can help out.

I also noticed that they created 2 new partitions on my main drive (please see screenshots), with 1 having a winre image contained within.

 

So initially I would like to know if there are tools out there to check I am clean and what changes I can make to firewall/registry/etc to prevent this from happening again and applying it to my other computers.

 

Scarab1.jpg
Download Image

Scarab2.jpg
Download Image

Share this post


Link to post
Share on other sites
38 minutes ago, Amigo-A said:

Yes, this is Scarab-Bomber Ransomware or one of his almost relatives.

I added yesterday this variant as update and sent a message to the researchers. 

It seems that this is your request, if look at the similarity of the nickname.

Yes that was my request... I was unaware the two forums were linked in any way. 

Is there any chance of these files being decrypted? I have also made a post in the ESET forum as that is my current antivirus provider. 

Share this post


Link to post
Share on other sites
23 hours ago, classiccor83 said:

I have also made a post in the ESET forum as that is my current antivirus provider. 

Did you collect the log with the help of their collector?
If you an official user, your files should be decrypted for free. I know that they deciphered several different Scarab's variants in last year. But then the basic version of the encryptor was updated and the calculation of the key became more complicated. ESET experts will tell you whether it is possible for your files now. Don't forget to tell me when it becomes known.

 

23 hours ago, classiccor83 said:

I was unaware the two forums were linked in any way. 

The forums are lined up with a common goal and several common "Visiting Experts". :)  //  I have been tracking malicious activities this extortionists from the very beginning, when it was not running yet, that is, with since Globe and Amnesia

It is also use of the ID Ransomware service for identifying and cataloging extortionists, for indicating to users at the possibility of decrypting, obtaining additional information and collecting malicious programs, and exchanging samples for development and updating free decryptors... 
Well, also my projects in my signature. 

Share this post


Link to post
Share on other sites

I will be sending files over to them to check and scan this afternoon when home from work. 

 

What I feel could be useful is a concise guide of settings and tips that people can apply to their machines to try and ensure they are as safe as can be. This is the 1st time in over a decade I have had anything happen to the many pc's I have had, never a virus or anything so it is quite shocking for me. Especially being a sysadmin so I felt my machine was pretty well protected, how wrong I was. 😩

Share this post


Link to post
Share on other sites

Unable to provide 100% security.
Unanticipated incidents happen to any device and specialist. 

Encryptors that active for several years are modified many times and made almost invisible for anti-virus protection. I often see many variants of already known ransomware who can be detected by antivirus scanners and recorded in "DETECTION" of VirusTotal under a different name or can be considered non-harmful until they are launched.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.