Home Malware Programs Ransomware Scarab-Leen Ransomware

Scarab-Leen Ransomware

Posted: June 18, 2018

The Scarab-Leen Ransomware is part of the Scarab Ransomware family of file-locking Trojans that can block your files from opening by encrypting them. Some members of this group of threats can have their locked files restored by free decryption utilities, although threat actors may include ransoming notes demanding money for their equivalent service. Protocols worth implementing against this threat consist of backing up your media, reviewing your network security settings, and using anti-malware products for eliminating the Scarab-Leen Ransomware before it attacks.

Another Computer Bug Subspecies is Reproducing

Centralized threat databases for file-locking Trojans like those of the Hidden Tear, the Globe Ransomware, and the Scarab Ransomware families are identifying new entries into the latter. This variant, the Scarab-Leen Ransomware, is using English-based ransoming messages, which implies that it doesn't belong to the Russian-targeting Scarabey Ransomware branch. Besides confirming its family and, through that, its encryption and infection methodologies, malware experts have yet to analyze many details of the Scarab-Leen Ransomware's campaign.

The Scarab-Leen Ransomware, like related Trojans of its collective, such as the Scarab-Rebus Ransomware, the Scarab-Horsia Ransomware, the Scarab-Crypto Ransomware or the Scarab-XTBL Ransomware, uses an embedded, AES-256 cipher for locking different formats of media, but excludes EXE or DLL files. While disabling the data, it shows no visually-identifiable symptoms. Malware experts note that this family also includes additional, injected data in the form of file markers that vary between different versions, which could interfere with any attempted decryption solutions.

While it locks the user's media, the Scarab-Leen Ransomware also adds '.leen' extensions at the ends of their names without removing the first extensions ('picture.jpg' becomes 'picture.jpg.leen'). It, then, drops a well-known ransom note claiming that a 'security problem with your PC' requires paying Bitcoins for decrypting and recovering the data. Users also have the choice of a free sample of the decryption service for up to three, non-essential files. While paying the Bitcoin ransom is not recommendable, the no-charge service can give victims access to old data that could help cyber-security researchers with confirming a free and full decryption solution for the Scarab-Leen Ransomware variant.

Keeping a Pest from Overrunning Your Network

Many, different threat actors are using branches and updates of the Scarab-Leen Ransomware's family, with the same underground business strategy that malware experts noted in Ransomware-as-a-Service sub-groups like the Globe Ransomware previously. This frequent rotation of administration handling means that the Scarab-Leen Ransomware could circulate through multiple and unpredictable methods. However, spam e-mail and the manually, brute-force hacking of networks, along with exploiting RDP features, are frequently-seen with most Scarab Ransomware attacks.

Users should monitor their RDP settings for any unusual signs of access and maintain unique, complex passwords for keeping criminals from hacking into their networks. E-mail-based attacks for circulating file-locking Trojans almost always disguise the associated attachment or link as being related to a delivery message, invoice, workplace equipment notice or another business-based content. Double-check the sender's identity, when necessary, and have anti-malware products scan new downloads for removing the Scarab-Leen Ransomware before it encrypts any of your files.

If it continues at its current rate, different versions of the Scarab-Leen Ransomware's family may, soon, contest the English-based RaaS families like Hidden Tear for sheer proliferation. Whatever names or extensions they're using, the Scarab-Leen Ransomware and its siblings are evidence of the dangers of forgetting your backups, using brute-force-vulnerable passwords or ignoring your port settings.

Loading...