Jump to content

Scarab infected

Recommended Posts


One of my customers has been hit with Scarab by the looks of it.

Files have been encrypted and renamed with a .nano extension.

I have attached the text file and sample files in a zip

We have a valid ESET licence

Is it possible to get a decoder?





Your files are now encrypted!

All your files have been encrypted due to a security problem with your PC.

Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Contact us using this email address: private-key@foxmail.com

Free decryption as guarantee!
Before paying you can send us up to 1 *.JPG files for free decryption.
The total size of files must be less than 5Mb

 * Do not rename encrypted files.
 * Do not try to decrypt your data using third party software, it may cause permanent data loss. 



PE Stocklist as of 06.06.2016.xlsx.zip

Link to comment
Share on other sites

  • Administrators

Please submit the following compressed in an archive to samples[at]eset.com with a link to this topic enclosed:

- a couple of encrypted files (ideally Office documents)
- the ransomware note
- logs from ESET Log Collector (ESET must be installed and activated with a paid license beforehand)

If the archive is too big to send by email, upload ELC logs to a safe location (OneDrive, DropBox, etc.) and enclose a download link instead.

Link to comment
Share on other sites

If this is Scarab ransomware, this is a very recent variant:


Michael Gillespie‏ @demonslay335 Dec 28

#Scarab #Ransomware using extension ".nano" (note the difference with Aurora's ".Nano" - case matters!). ID Ransomware can detect the difference. Encrypted key in the ransom note is at the very bottom after a ton of newlines.

Edited by itman
Link to comment
Share on other sites

4 hours ago, ShaunWilliams said:

I did see the twitter post yesterday and there is a difference between .Nano and .nano.

Also, Rapid 3.0 Ransomware uses the .nano extension. So it is imperative the ransomware be positively identified which can be done here: https://id-ransomware.malwarehunterteam.com/

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...