What is Scarab .firmabilgileri ransomware? And how does it implement its attack?

Scarab .firmabilgileri ransomware is yet another one of the latest addition to the Scarab ransomware family. This new iteration of Scarab ransomware is designed to encrypt files in a computer and demand ransom from its victims. And like the other Scarab variant, GIOTINE FIDY ransomware, which was discovered not too long ago, Scarab .firmabilgileri ransomware also targets Turkish-speaking users based on its ransom note written in Turkish language.
Once its malicious payload infiltrates the system, Scarab .firmabilgileri ransomware will begin to implement its attack by establishing a connection to a remote server. From there, it downloads other malicious files and puts them into system folders. It then employs an information gathering module used to collect data from the user and the computer. The collected data, along with the some malicious components are used for the stealth protection module which hides the ransomware from any security programs that might be able to detect it. It also makes changes in the Windows Registry to allow itself to automatically run on every system startup. Once these changes are successfully carried out, it starts the encryption process. After the encryption is completed, it appends the .firmabilgileri extension on every encrypted file and releases a text file named “benioku.txt” which contains the following message written in Turkish language.
“Tum Dosyalariniz Sifrelenmistir!
Serverinizde bulunan bir guvenlik acigindan faydalanarak serverinize girdim ve kayda deger buldugum bilgilerinizi Sifrelemis Bulunmaktayim!
Verilerinizi geriye buldugum sekilde koymami isterseniz bunun sartlari konusunda anlasmak uzere bana datastore20189mail.ru adresine saat 10:00 a kadar serverinizin ip
numarasini da iceren bir mail atiniz kosullar
konusunda anlasalim. Saat 10:00 dan sonra donuslerle ilgilenmiyorum!!!!
Para Verseniz Daha Acmazlar Diyen Bilgisayarcilara ( Ozellikle Bu Aciga Neden olmalarina Ragmen piskin piskin 300 500 TL Format ve Programlarin Kurulum Parasi isterler) ve ya
Parani Alir Dosyalarini Vermez
Diyen Etrafinizdaki insanlara inanmayin!
Dikkatinizi Cekmek Istediginiz Bazi Hususlar Var!
Size Guven Verecek Yeterli Referansa Sahibim Daha Önce HacklediPim Bir Firmayy Arayarak Dosyalari Açip Açmadigimi Sorabilirsiniz
Aciklarinizi Kapatarak Bir Daha 8?yle Bir Olay Yasamamaniz icin Gerekli Guvenlik Tedbirlerini Anlatirim.
Sizi tanimiyorum, dolayisi ile size karsi kotu duygular beslememin size kotuluk yapmanin bir anlami da yok, amacim sadece bu isten
Yaptiginiz odeme sonrasinda en kisa zamanda verilerinizi eski haline getirmek icin sunucunuza baglanacagim.
Benimle iletisime gecmek icin asagidaki email adresini kullanin,
datastore2018©mail.ru
Eger odeme yaparsaniz dosyalarinizi otomoatik olarak cozecek bir yazilim gonderecegim.
Eger odeme yapmazsaniz dosyalariniz sonsuza dek sifreli kalacak.
Asagidaki hususlara dikkat edin!
Internette buldugunuz ucretsiz araclari denemeyin, dosyalarinizi tamamen bozabilirsiniz.
Lutfen dosyalariniza bilincsiz mudahalelerde bulunmayin ve bilgisi olmayan kimseye bilgisayarinizi vermeyin.
Her kullanicinin benzersiz bir sifreleme anahtari oldugu icin diger kullanicilarin sifre cozuculeri verilerinizle uyumlu degildir.
…C4DADF1F82846A80189D45952F4344806164EADFEFOF”
 
The ransom note of Scarab .firmabilgileri ransomware states that your files are encrypted and that you have to pay the ransom in order to recover them. However, doing so is certainly not recommended. Paying the ransom does not guarantee the recovery of your files. In fact, it’s a big risk where your chances of getting the decryption software are slim to none. That’s why the best thing you can do for now is to delete Scarab .firmabilgileri ransomware from your computer as soon as possible.
How does Scarab .firmabilgileri ransomware spread online?
Scarab .firmabilgileri ransomware might spread via spam emails as with the other Scarab variants. So you must take precaution in downloading attachments from your emails and don’t every hastily click some links in them as well.
Delete Scarab .firmabilgileri ransomware by following the removal guide prepared below.
Step 1: Tap the Ctrl + Alt + Delete keys to open a menu and then expand the Shut down options which is right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select Safe Mode with Networking.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.

Step 6: Go to the Processes tab and look for any suspicious-looking processes that could be related to Scarab .firmabilgileri ransomware and then end their processes.

Step 7: Exit the Task Manager and then tap the Win + R keys to open Run and type “appwiz.cpl” in the field and hit Enter to open Programs and Features in Control Panel.
Step 8: From the list of installed programs, look for any suspicious ones that could be related to Scarab .firmabilgileri ransomware and then uninstall them.

Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Navigate to the following locations and look for the malicious components created by Scarab .firmabilgileri ransomware like benioku.txt and other dubious files and then make sure to delete them all.

• %APPDATA%
• %TEMP%
• %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
• %USERPROFILE%\Downloads
• %USERPROFILE%\Desktop

Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by Scarab .firmabilgileri ransomware.

• HKEY_CURRENT_USER\Control Panel\Desktop\
• HKEY_USERS\.DEFAULT\Control Panel\Desktop\
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Step 14: Delete the registry keys and sub-keys created by Scarab .firmabilgileri ransomware.
Step 15: Close the Registry Editor and empty the contents of the Recycle Bin.
To ensure the removal of Scarab .firmabilgileri ransomware from your system including the malicious components it has created on your system, follow the advanced steps below.

1. Turn on your computer. If it’s already on, you have to reboot
2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

3. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
4. Windows will now load the Safe Mode with Networking.
5. Press and hold both R key and Windows key.

6. If done correctly, the Windows Run Box will show up.
7. Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
8. After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
9. Once the installation process is completed, run [product-code] to perform a full system scan.

10. After the scan is completed click the “Fix, Clean & Optimize Now” button.