Jump to content
Sign in to follow this  
ShaunWilliams

Scarab infected

Recommended Posts

Hi

One of my customers has been hit with Scarab by the looks of it.

Files have been encrypted and renamed with a .nano extension.

I have attached the text file and sample files in a zip

We have a valid ESET licence

Is it possible to get a decoder?

Thanks

Shaun

 

 

Your files are now encrypted!

All your files have been encrypted due to a security problem with your PC.

Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

Contact us using this email address: private-key@foxmail.com

Free decryption as guarantee!
Before paying you can send us up to 1 *.JPG files for free decryption.
The total size of files must be less than 5Mb

Attention!  
 * Do not rename encrypted files.
 * Do not try to decrypt your data using third party software, it may cause permanent data loss. 

 
+4IAAAAAAADuezGrHZKHEYAkDMRW0biXzR1DA=6QsjZmvMJUlX011gGnanE=dxQ84thp2xtIXh70B9jRhiNf2lWRts9VlhuFVgbK
ib=g+cUvf5sSMZkwUn2TXWtStwgu9bhitnf3Y+UXpW=JGOUiua9rn7oaMAen+7JWpmRaj2oXH5UX4yGaVqXteGUq3Xv+XlsO5=ZU
Et9CKt41KgZbLRGmd2kJU5e7Ki2MgP5FPyaeeshnTLPPTfHqdEQOUcNuRBpTq=swO3W4iWkJyqyZi88MLeGMAscG+zZS+lSm=Adi
9=BOEBUho0Jmz=BGUcRaN89ii6tTkiYaXyoyfc9MEANX57CbeWuQ3NcLlQIxugCo2sA8mQjyG4QI62ZA0qiGojDExK+sBvmjwTvq
zsgZT+mp43xfBZC4ceHRROUaJV6vP4

 

PE Stocklist as of 06.06.2016.xlsx.zip

Share this post


Link to post
Share on other sites

Please submit the following compressed in an archive to samples[at]eset.com with a link to this topic enclosed:

- a couple of encrypted files (ideally Office documents)
- the ransomware note
- logs from ESET Log Collector (ESET must be installed and activated with a paid license beforehand)

If the archive is too big to send by email, upload ELC logs to a safe location (OneDrive, DropBox, etc.) and enclose a download link instead.

Share this post


Link to post
Share on other sites

If this is Scarab ransomware, this is a very recent variant:

Quote

Michael Gillespie‏ @demonslay335 Dec 28

#Scarab #Ransomware using extension ".nano" (note the difference with Aurora's ".Nano" - case matters!). ID Ransomware can detect the difference. Encrypted key in the ransom note is at the very bottom after a ton of newlines.

Edited by itman

Share this post


Link to post
Share on other sites

Thanks for your replies I have sent the emails the documents you need. I did see the twitter post yesterday and there is a difference between .Nano and .nano.

Share this post


Link to post
Share on other sites
4 hours ago, ShaunWilliams said:

I did see the twitter post yesterday and there is a difference between .Nano and .nano.

Also, Rapid 3.0 Ransomware uses the .nano extension. So it is imperative the ransomware be positively identified which can be done here: https://id-ransomware.malwarehunterteam.com/

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×