Scarab Virus Removal Guide. Restore Your PC and .scarab Files

Scarab Virus featured image

The Scarab virus is a ransomware that uses the AES cipher to encrypt valuable system and user files. Its encryption engine marks the affected files with the .scarab extension and extorts the victims to pay a fee. Users can restore their computers and recover the files by following the instructions in our removal guide.
Manual Removal Guide
Recover Scarab Virus Files
Skip all steps and download anti-malware tool that will safely scan and clean your PC.

DOWNLOAD Scarab Virus Removal Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

How Does Scarab Virus Infiltrate the System?

The Scarab virus is distributed in a single binary executable file that can be spread using different methods depending on the targets and the required scale.

One of the primary infection strategies employed by most ransomware like this one is the coordination of spam email messages. They use social engineering strategies that make the users infect themselves. The emails are made to appear as legitimate companies or government institutions and usually carry the virus as either attached or linked in the body contents.

Office documents and modified software installers can also carry the Scarab virus code. They are spread on hacked or hacker-controlled download sites and popular P2P networks like BitTorrent. The hackers can also create web redirects and ad networks that redirect to them.

Browser hijackers and other malicious add-ons can deliver the Scarab virus as part of their infection behavior.

Related: Spectre Ransomware, CrMore Virus Ransomware

November 2017 .Scarab Virus Attack Campaign

The security community is continuously monitoring the infection attacks carrying the .scarab virus. According to the latest reports a new global attack campaign has been initiated by computer criminals using this particular malware. The distribution strategy relies on e-mail messages that use typical blackmail strategies that seek to manipulate the victims into opening up attached files. It appears that the Necurs botnet is used to spread the majority of the .scarab virus strains.

Some of the captured samples indicate that the hacker use various domains and names that send blank emails containing attached files. The users will find that the payload data is contained within an archive which is named as “archive”, “image”, “invoice” or another string that might spark the victim’s interest. Such files usually contain either an infected document or a malicious installer. Their distinct attack scenarios include the following:

  • Modified Software Installers ‒ Executable files can be used to institute the .scarab virus on the target systems. They are usually disguised as software installer for popular free or trial versions of famous software.
  • Document Payloads ‒ The hackers can bundle the .scarab virus threat in documents of all types including rich text documents, spreadsheets, presentations and databases. Once they are opeend a prompt notification is shown to the victims which asks them to enable the built-in scripts (macros). Once this is done the .scarab virus infection is place onto the target systems.

Infection Flow of Scarab Virus

Security researchers identified a new ransomware threat called the Scarab virus made by an unknown hacker or criminal collective. The initial analysis does not show any similarity between the code and any of the famous malware families.

Upon infection with it the encryption engine is automatically started. It uses the AES cipher to target a predefned list of target file type extensions. They can be customized according to the targets or individual networks. Similar malware like the Scarab virus usually attempt to process as many different files as possible: documents, archives, databases, backups, configuration files, music, photos, videos and etc. Furthermore some of the Scarab Ransomware samples show rename the files using a Base64 algorithm to make recovery more dificult.

Once this is done a ransomware note is crafted in a “IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT” file containg the following message:

Your files are now encrypted!
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: [email protected]
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 5Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).
How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
‘Buy bitcoins’, and select the seller by payment method and price:
* Also you can find other places to buy Bitcoins and beginners guide here:
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The criminals behind the Scarab virus use several blackmail strategies to pressure the users into them:

  • The infection is made to appear as a security precaution. This social engineering trick may be used to fool beginner computer users.
  • The payment needs to be done using the Bitcoin digital currency. All transactions made through this system are anonymous and cannot be traced.
  • An exact sum is not specified. The hackers negotiate the price based on the victims data and responsiveness.
  • The criminals behind the Scarab virus offer a free decryption option to win the victims trust.
  • A contact email is provided that is hosted using a free email hosting solution. Concerned users and victims can contact the hackers using this method as no payment gateway or specialized site has been made at this point.

We expect to see updated versions that include additional modules and features as well as any further hacker attacks if the initial wave proves to be succesful.

Remove Scarab Virus and Restore Data

WARNING! Manual removal of Scarab Virus requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.

DOWNLOAD Anti-Malware Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Scarab Virus – Manual Removal Steps

Start the PC in Safe Mode with Network

This will isolate all files and objects created by the ransomware so they will be removed efficiently. The steps bellow are applicable to all Windows versions.

1. Hit the WIN Key + R

2. A Run window will appear. In it, write msconfig and then press Enter

3. A Configuration box shall appear. In it Choose the tab named Boot

4. Mark Safe Boot option and then go to Network under it to tick it too

5. Apply -> OK

Show Hidden Files

Some ransomware threats are designed to hide their malicious files in the Windows so all files stored on the system should be visible.

1. Open My Computer/This PC

2. Windows 7

    – Click on Organize button
    – Select Folder and search options
    – Select the View tab
    – Go under Hidden files and folders and mark Show hidden files and folders option

3. Windows 8/ 10

    – Open View tab
    – Mark Hidden items option

how to make hidden files visible in Windows 8 10 bestsecuritysearch instructions

4. Click Apply and then OK button

Enter Windows Task Manager and Stop Malicious Processes

1. Hit the following key combination: CTRL+SHIFT+ESC

2. Get over to Processes

3. When you find suspicious process right click on it and select Open File Location

4. Go back to Task Manager and end the malicious process. Right click on it again and choose End Process

5. Next, you should go folder where the malicious file is located and delete it

Repair Windows Registry

1. Again type simultaneously the WIN Key + R key combination

2. In the box, write regedit and hit Enter

3. Type the CTRL+ F and then write the malicious name in the search type field to locate the malicious executable

4. In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Click for more information about Windows Registry and further repair help

Recover Scarab Virus Files

WARNING! All files and objects associated with Scarab Virus should be removed from the infected PC before any data recovery attempts. Otherwise the virus may encrypt restored files. Furthermore, a backup of all encrypted files stored on external media is highly recommendable.

DOWNLOAD Scarab Virus Removal Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

1. Use present backups

2. Use professional data recovery software

Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.

3. Using System Restore Point

    – Hit WIN Key
    – Select “Open System Restore” and follow the steps


4. Restore your personal files using File History

    – Hit WIN Key
    – Type restore your files in the search box
    – Select Restore your files with File History
    – Choose a folder or type the name of the file in the search bar
    – Hit the “Restore” button

Preventive Security Measures

  • Enable and properly configure your Firewall.
  • Install and maintain reliable anti-malware software.
  • Secure your web browser.
  • Check regularly for available software updates and apply them.
  • Disable macros in Office documents.
  • Use strong passwords.
  • Don’t open attachments or click on links unless you’re certain they’re safe.
  • Backup regularly your data.
  • Was this content helpful?

    Author : Martin Beltov

    Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

    Related Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *