What is Scarab-Amnesia ransomware? And how does it implement its attack?

Scarab-Amnesia ransomware is a new ransomware infection which also happens to be a new variant of the infamous Scarab ransomware. This new variant was recently discovered at the end of March 2018. Dubbed as “Scarab-Amnesia” since this version of Scarab adds the “.amneisa” extension to the file it encrypts.
Scarab-Amnesia ransomware implements its attack by establishing all its malicious components into the system with the purpose of creating other malicious process and modify system settings. Scarab ransomware targets various files that are mostly user-generated like images, videos, audio, documents, database, etc. It uses the AES cipher in locking its targeted files and appends the .amnesia extension to each one of the affected files. Following the encryption, this Scarab variant generates a file named “HOW TO RECOVER ENCRYPTED FILES.txt” which contains a lengthy ransom message stating:
“HOW TO DECRYPT YOUR FILES
===
HOW TO DECRYPT YOUR FILES
Your personal ID
6902000000000000***69F401
Your files, documents, photo, databases and all the rest aren’t
They are ciphered by the most reliable enciphering.
It is impossible to restore files without our help.
You will try to restore files independent you will lose files
FOREVER.
—
You will be able to restore files so:
to contact us by e-mail:
[email protected]
* report your ID and we will switch off any removal of files
(if don’t report your ID identifier, then every 24 hours will be
to be removed from 24 files. If the report to ID-we will switch off it)
* you send your ID identifier and 2 files, up to 1 MB in size everyone.
We decipher them, as proof of a possibility of interpretation.
also, you receive the instruction where and how many it is necessary to pay.
you pay and confirm payment.
after payment, you receive the DECODER program. which you restore ALL YOUR FILES.
—
You have 72 hours of payment.
If you don’t manage to pay in 72 hours, then the price of interpretation increases twice.
The price increases twice each 72 hours.
To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours.
Address for detailed instructions e-mail:
[email protected]
* If you don’t waste time on attempts to decipher, then you will be able to restore all files in 1 hour.
* If you try to decipher – you can FOREVER lose your files.
* Decoders of other users are incompatible with your data as at each user unique key of enciphering
If it is impossible to communicate through mail
* Be registered on the website http://bitmsg.me (service online of sending Bitmessage)
* Write the letter to the address BM-2cVNaCJejHJpnyLrtXYGJVfVdviHfa1jpd with the indication of your mail and the personal identifier and we will communicate.
—
If you have no bitcoins
* Create Bitcoin purse: https://blockchain.info
* Buy Bitcoin in a convenient way
https://localbitcoins.com/ru/buy_bitcoins (Visa/MasterCard)
https://www.buybitcoinworldwide.com/ (Visa/MasterCard)
https://en.wikipedia.org/wiki/Bitcoin (the instruction for beginners)
– It doesn’t make sense to complain of us and to arrange a hysterics.
– Complaints having blocked e-mail, you deprive a possibility of the others, to decipher the computers.
Other people at whom computers are also ciphered you deprive of the ONLY hope to decipher. FOREVER.
– Just contact us, we will stipulate conditions of interpretation of files and available payment, in a friendly situation”
Victims of this crypto-malware are demanded to pay the ransom within 72 hours in Bitcoins. The ransom note of the first variant was written originally in Russian but this current variant’s ransom note has been translated into English as you can notice. Nevertheless, paying the ransom is not recommended even if the crooks behind this malware are claiming to unlock two encrypted files for free to prove that they have the decryptor.
How does Scarab-Amnesia ransomware spread its malicious payload?
Cybercrooks behind Scarab-Amnesia ransomware uses Necrus botnet in spreading the malicious payload of the crypto-malware. At the time of writing, about 12.5 million emails with malicious 7Zip archive have already been sent by the botnet. The archive file contains a Visual Basic script that downloads and establishes the new Scarab variant into targeted PCs.
Eliminate Scarab-Amnesia ransomware from your system by following the removal guide below as well as the advanced steps that follow.
Step 1: Tap the Ctrl + Alt + Delete keys to open a menu and then expand the Shutdown options which are right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select Safe Mode with Networking.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.

Step 6: Go to the Processes tab and look for sevnz.exe or mshta.exe and then end its process.

Step 7: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.

Step 8: Look Scarab-Amnesia Ransomware and then uninstall it.

Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Navigate to the following locations and look for the malicious components created by Scarab-Amnesia ransomware one of which is its ransom note, HOW TO RECOVER ENCRYPTED FILES.txt and make sure to delete them all.

• %APPDATA%
• %TEMP%
• %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
• %USERPROFILE%\Downloads
• %USERPROFILE%\Desktop

Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use Advanced System Repair Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by Scarab-Amnesia ransomware.

• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKCU\SOFTWARE
• HKCU\SOFTWARE\WOW6432Node

Step 14: Delete the registry keys and sub-keys created by Scarab-Amnesia ransomware.
Step 15: Close the Registry Editor and empty your Recycle Bin.
To ensure the removal of Scarab-Amnesia ransomware from your system including the malicious components it has created on your system, follow the advanced steps below.
Perform a full system scan using Advanced System Repair Pro. To do so, follow these steps:

1. Turn on your computer. If it’s already on, you have to reboot
2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

3. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
4. Windows will now load the SafeMode with Networking.
5. Press and hold both R key and Windows key.

6. If done correctly, the Windows Run Box will show up.
7. Type in the URL address, https://www.fixmypcfree.com/download.php?asrin the Run dialog box and then tap Enter or click OK.
8. After that, it will download Advanced System Repair Pro. Wait for the download to finish and then open the launcher to install the program.
9. Once the installation process is completed, run Advanced System Repair Pro to perform a full system scan.

10. After the scan is completed click the “Fix, Clean & Optimize Now”button.