Scarab infected

[ShaunWilliams 0]

Hi

One of my customers has been hit with Scarab by the looks of it.

Files have been encrypted and renamed with a .nano extension.

I have attached the text file and sample files in a zip

We have a valid ESET licence

Is it possible to get a decoder?

Thanks

Shaun

 

 

Your files are now encrypted!

All your files have been encrypted due to a security problem with your PC.

Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Contact us using this email address: private-key@foxmail.com

Free decryption as guarantee!
Before paying you can send us up to 1 *.JPG files for free decryption.
The total size of files must be less than 5Mb

Attention!  
 * Do not rename encrypted files.
 * Do not try to decrypt your data using third party software, it may cause permanent data loss. 

 
+4IAAAAAAADuezGrHZKHEYAkDMRW0biXzR1DA=6QsjZmvMJUlX011gGnanE=dxQ84thp2xtIXh70B9jRhiNf2lWRts9VlhuFVgbK
ib=g+cUvf5sSMZkwUn2TXWtStwgu9bhitnf3Y+UXpW=JGOUiua9rn7oaMAen+7JWpmRaj2oXH5UX4yGaVqXteGUq3Xv+XlsO5=ZU
Et9CKt41KgZbLRGmd2kJU5e7Ki2MgP5FPyaeeshnTLPPTfHqdEQOUcNuRBpTq=swO3W4iWkJyqyZi88MLeGMAscG+zZS+lSm=Adi
9=BOEBUho0Jmz=BGUcRaN89ii6tTkiYaXyoyfc9MEANX57CbeWuQ3NcLlQIxugCo2sA8mQjyG4QI62ZA0qiGojDExK+sBvmjwTvq
zsgZT+mp43xfBZC4ceHRROUaJV6vP4

 

PE Stocklist as of 06.06.2016.xlsx.zip

[Marcos 5,071]

Please submit the following compressed in an archive to samples[at]eset.com with a link to this topic enclosed:

- a couple of encrypted files (ideally Office documents)
- the ransomware note
- logs from ESET Log Collector (ESET must be installed and activated with a paid license beforehand)

If the archive is too big to send by email, upload ELC logs to a safe location (OneDrive, DropBox, etc.) and enclose a download link instead.

[itman 1,659]

If this is Scarab ransomware, this is a very recent variant:

Quote

Michael Gillespie‏ @demonslay335 Dec 28

#Scarab #Ransomware using extension ".nano" (note the difference with Aurora's ".Nano" - case matters!). ID Ransomware can detect the difference. Encrypted key in the ransom note is at the very bottom after a ton of newlines.

https://twitter.com/demonslay335?lang=en

Edited December 30, 2018 by itman

[ShaunWilliams 0]

Thanks for your replies I have sent the emails the documents you need. I did see the twitter post yesterday and there is a difference between .Nano and .nano.

[itman 1,659]

4 hours ago, ShaunWilliams said:

I did see the twitter post yesterday and there is a difference between .Nano and .nano.

Also, Rapid 3.0 Ransomware uses the .nano extension. So it is imperative the ransomware be positively identified which can be done here: https://id-ransomware.malwarehunterteam.com/