The newest large-scale global attack is being delivered at the rate of 2 million emails per hour. This ransomware, delivered via the Necurs Botnet, is attached to an email that has a “.7z” (7-Zip) extension and looks as if it is coming from a copier, scanner, or printer as an attached scan with a subject line, like: “Scanned from HP.” Opening the attachment allows the malware to activate, attempt to download the ransomware package, and possibly begin encrypting your machine. For information on how this two-step ransomware process works, see our free recorded webinar here.
This particular ransomware is just a new variation of an older encrypting malware. Unfortunately, it is disguised enough to be undetectable by most security tools. If it successfully encrypts files on the victim’s machine, it then opens a message telling the victim where to pay the ransom. One oddity is that this variation does not quote a ransom amount, but suggests the amount depends on how quickly you respond to the attackers, through email or Bitmessage.
What can we do:
- First, don’t open any unexpected emails from your scanner or copier and verify that the machine sending you the email is actually your copier/scanner/printer before you open anything with a “.7z” extension. (BTW you should do this with pretty much any unexpected attachments… Verify. Verify. Verify…)
- Backup your systems so if you do get attacked, you can go back to a previous known good image.
- Once the AV companies have released an update to cover the Scarab ransomware, make sure your security tools are updated.
- DO NOT PAY the Ransom – this maybe impossible if you did not have any backups, but paying the attackers is always a bad idea.
- There is no known decryption tool available yet. So, if you haven’t backed up recently you may have to just have the machine wiped. Never trust a device that has been compromised. The attackers like to leave tools behind that will allow them to attack you again.
Stay Cyber Safe,
The SecuLore Support Team