Forcepoint has discovered a scam email campaign that has pushed ransomware via at least 12.5 million emails. Scarab, which has been active since November 23, utilizes the Necurs botnet to send out millions of infected emails every hour.

Scarab was first detected by researchers in June, and it now has the backing of the world’s biggest email spam botnet behind it. The emails read ‘Scanned from HP/Lexmark/Canon’, and has a 7zip file attached.

As in previous iterations, a VBScript file is contained in that file, and the code has several Game of Thrones references. The script mentions Samwell, Jon Snow, and more. Once the payload is delivered, this variant drops a copy of itself, sevnz.exe, in the app data folder.

Time Sensitive Payments

It then informs users, “All your files have been encrypted due to a security problem with your PC. Now you should send  us email with your personal identifier. The will be as confirmation you are ready to pay for decryption key. You have to pay decryption in Bitcoins. The price depends on how fast you write to us.”

Source: Forcepoint

Scarab disables Windows recovery features, encrypts the user’s files, and then deletes the original copy of itself. This time, the attackers also have a backup Bitmessage contact incase the email dies.

The note that tells users to contact quickly for a reduced ransom sum is likely to rush them into a decision. Unfortunately, it may be the best course of action for some, as there’s no way to decrypt the files at the time of writing.

According to Forcepoint’s predictions, ransomware will continue to grow in 2018. It believes these methods won’t dissapear any time soon, so it’s more important than ever to ultilize proper security practices.