ShaunWilliams 0 Posted December 30, 2018 Share Posted December 30, 2018 Hi One of my customers has been hit with Scarab by the looks of it. Files have been encrypted and renamed with a .nano extension. I have attached the text file and sample files in a zip We have a valid ESET licence Is it possible to get a decoder? Thanks Shaun Your files are now encrypted! All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: private-key@foxmail.com Free decryption as guarantee! Before paying you can send us up to 1 *.JPG files for free decryption. The total size of files must be less than 5Mb Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. +4IAAAAAAADuezGrHZKHEYAkDMRW0biXzR1DA=6QsjZmvMJUlX011gGnanE=dxQ84thp2xtIXh70B9jRhiNf2lWRts9VlhuFVgbK ib=g+cUvf5sSMZkwUn2TXWtStwgu9bhitnf3Y+UXpW=JGOUiua9rn7oaMAen+7JWpmRaj2oXH5UX4yGaVqXteGUq3Xv+XlsO5=ZU Et9CKt41KgZbLRGmd2kJU5e7Ki2MgP5FPyaeeshnTLPPTfHqdEQOUcNuRBpTq=swO3W4iWkJyqyZi88MLeGMAscG+zZS+lSm=Adi 9=BOEBUho0Jmz=BGUcRaN89ii6tTkiYaXyoyfc9MEANX57CbeWuQ3NcLlQIxugCo2sA8mQjyG4QI62ZA0qiGojDExK+sBvmjwTvq zsgZT+mp43xfBZC4ceHRROUaJV6vP4 PE Stocklist as of 06.06.2016.xlsx.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 4,718 Posted December 30, 2018 Administrators Share Posted December 30, 2018 Please submit the following compressed in an archive to samples[at]eset.com with a link to this topic enclosed: - a couple of encrypted files (ideally Office documents) - the ransomware note - logs from ESET Log Collector (ESET must be installed and activated with a paid license beforehand) If the archive is too big to send by email, upload ELC logs to a safe location (OneDrive, DropBox, etc.) and enclose a download link instead. Link to comment Share on other sites More sharing options...
itman 1,543 Posted December 30, 2018 Share Posted December 30, 2018 (edited) If this is Scarab ransomware, this is a very recent variant: Quote Michael Gillespie @demonslay335 Dec 28 #Scarab #Ransomware using extension ".nano" (note the difference with Aurora's ".Nano" - case matters!). ID Ransomware can detect the difference. Encrypted key in the ransom note is at the very bottom after a ton of newlines. https://twitter.com/demonslay335?lang=en Edited December 30, 2018 by itman Link to comment Share on other sites More sharing options...
ShaunWilliams 0 Posted December 31, 2018 Author Share Posted December 31, 2018 Thanks for your replies I have sent the emails the documents you need. I did see the twitter post yesterday and there is a difference between .Nano and .nano. Link to comment Share on other sites More sharing options...
itman 1,543 Posted December 31, 2018 Share Posted December 31, 2018 4 hours ago, ShaunWilliams said: I did see the twitter post yesterday and there is a difference between .Nano and .nano. Also, Rapid 3.0 Ransomware uses the .nano extension. So it is imperative the ransomware be positively identified which can be done here: https://id-ransomware.malwarehunterteam.com/ Link to comment Share on other sites More sharing options...
Recommended Posts