Scarab-Oops Ransomware

A new version of the Scarab-Bin ransomware was spotted recently by security researchers. The ransomware is called Scarab-Oops, after the extension it appends to encrypted files. The Scarab Ransomware family was already large enough and growing regularly so that the new extension variant is not much of a surprise.

The files scrambled by the Scarab-Oops only receive the ".Oops" extension, unlike the Scarab-Bin Ransomware, which also inserted a unique victim ID between the old and the new extension. A sample file called "ledger.xlsx" will turn into "ledger.xlsx.Oops" once encrypted by Scarab-Oops Ransomware. The actual payload of the Scarab-Oops Ransomware is a randomly named executable, as is common with many other similar threats. The Scarab-Oops Ransomware affects MS Office files, PDF, plain text, database, media and archive files.

The Scarab-Oops Ransomware places its ransom note in a file named 'HOW TO RECOVER ENCRYPTED FILES.TXT.' The new campaign using the Scarab-Oops Ransomware also uses different emails for contacting the bad actors behind it - dec_helper at aol.com and datarecovery at airmail.cc. The text of the ransom note is as follows:

'All your files are encrypted!
To return the files, write to the mail:
dec_helper at aol.com
datarecovery at airmail.cc
In the letter, specify your ID and attach several files for decryption.
Attempts to recover files, destroy them forever!
Your personal ID:
[long alpha-numeric string]'

There is no available decryption tool for the files and systems affected by the Scarab-Oops Ransomware currently.