Scarab-Deep Ransomware

What is Scarab-Deep Ransomware?

If you are not careful about the security of your operating system, Scarab-Deep Ransomware might attack in a very clandestine way. It appears that the infection could use spam emails to expose gullible and careless users to the malicious launcher. Unreliable installers and unguarded remote access connections could be used to drop malware too. Once installed, the infection can successfully encrypt files that you would call personal, including documents, media content, or photos. The “.deep” extension is added to all of the files that are corrupted. The sad thing is that you cannot restore files by removing the added extension or the infection itself. The only thing that can help is a decryptor, and it is in the hands of cyber criminals. In some cases, free decryptors exist, but research team informs that it does not exist for this malware. To put the cherry on top of the cake, the ransomware also drops another piece of malware, a banking Trojan. The good news is there is a way to delete Scarab-Deep Ransomware and the malicious Trojan at the same time.testtest

How does Scarab-Deep Ransomware work?

Scarab-Deep Ransomware is a version of another well-known threat, Scarab-Bomber Ransomware. Though there are many similarities, this is the first infection in the Scarab family to drop additional malware; at least, that is what was found. As soon as the ransomware is executed, the ClipBanker banking Trojan is downloaded, which puts you at risk of the theft of banking information. This could lead to the theft of money as well. Our sample dropped two copies of the Trojan to two different locations (%TEMP% and %APPDATA%\Microsoft\Windows\), and an entry in the Registry (HKEY_USERS\S-1-5-21-563032844-4108150345-4119072607-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN) was created as well. The same Registry path is used to create a point of execution for a text file that delivers the ransom note. This file is called “HOW TO RECOVER ENCRYPTED FILES.TXT,” and it is originally created in the %USERPROFILE% directory; however, multiple copies in all folders containing corrupted files should be created. Without a doubt, you need to delete all copies of this text file. You also need to remove all other components of the ransomware and the accompanying Trojan.

If you believe that your files will be decrypted as soon as you remove Scarab-Deep Ransomware, we have to disappoint you. The threat does not lock your files or blocks access to them. It encrypts them, which means that data of the files is changed. In order to decrypt files, a special key is needed. That is what the creator of the ransomware holds over the heads of all victims. The “WARNING” message on the Desktop and the note in the HOW TO RECOVER ENCRYPTED FILES.TXT file inform that a payment must be made to obtain a decryptor. First, the victim has to email an ID code to to receive more information. The initial Scarab-Deep Ransomware message suggests that the victim would be asked to pay a ransom in Bitcoins, a crypto-currency favored by ransomware creators. Paying it is foolish because you cannot expect cyber crooks to keep their promises. Unfortunately, if you do not have backups that contain copies of personal files, this is the only option that you are offered.

How to delete Scarab-Deep Ransomware

Victims of Scarab-Deep Ransomware are strongly recommended to implement anti-malware software to inspect and clean their operating systems, as well as to protect them against malicious threats in the future. Sure, you might be able to find the launcher of the malicious file-encryptor, and you might be able to successfully remove ClipBanker components too, but the process can be complicated; especially to inexperienced users. If you are not sure you can eliminate the threat from your operating system, we do not recommend following the guide below. If you want a challenge, go for it, but make sure you are careful. Afterward, install a trusted malware scanner (note that free ones exist) to inspect the system. If leftovers exist, you want to know about them so that you could delete them in time. Our research team is ready to answer other questions you might have about Scarab-Deep Ransomware and the protection of your operating system. Just add a comment below.

Removal Guide

  1. Tap keys Win+R to access RUN and enter regedit.exe into the dialog box.
  2. Move to HKU\S-1-5-21-563032844-4108150345-4119072607-1000\Software\Microsoft\Windows\CurrentVersion\Run.
  3. Delete 2 values that represent the Trojan’s file (updlive) and the ransom note file (random name).
  4. Tap keys Win+E to access Windows Explorer.
  5. Enter %USERPROFILE% into the bar.
  6. Delete the file named HOW TO RECOVER ENCRYPTED FILES.TXT (note that copies of this files exist all over the PC, and you should eliminate them too).
  7. Enter %TEMP% into the bar.
  8. Delete the Trojan’s file with a random name.
  9. Enter %APPDATA%\Microsoft\Windows\ into the bar.
  10. Delete the Trojan’s file named updlive.exe
  11. Delete all recently downloaded suspicious files (the point is to erase the original .exe file).
  12. Empty Recycle Bin.
  13. Perform a full system scan using a legitimate malware scanner. 100% FREE spyware scan and
    tested removal of Scarab-Deep Ransomware*


Leave a Comment

Enter the numbers in the box to the right *