What is {[email protected]}.exe ransomware? And how does it implement its attack?

{[email protected]}.exe ransomware is one of the latest variant of Scarab ransomware that’s been spotted in August 2019. Specifically, it is a new and improved version of the Scarab-Bin ransomware that uses a “.{[email protected]}.exe” extension in marking its encrypted files. Apart from the extension and email address, as well as its ransom note, there are no other notable changes in this new Scarab variant.
Upon infiltration, {[email protected]}.exe ransomware will make changes in the infected computer. These changes include the new addition of malicious files that are placed in system folders. These malicious files ensure that {[email protected]}.exe ransomware won’t get detected by any antivirus programs installed in the computer while some of these malicious files make adjustments in the Windows Registry to allow the crypto-malware to run in every system boot. After these modifications, {[email protected]}.exe ransomware will begin its main attack by encrypting various files. Right after the encryption, it adds the .bitcoin suffix at the end of every file’s name which signifies that the files are locked. Following data encryption, it releases a text file named “!!! RESTORE YOUR FILES !!!.txt” which contains the following message:
“Hello my friend … =)
All your files do not work, because they are encrypted.
To decrypt the files write me a mails:
[email protected]
[email protected]
You must specify this personal identifier (ID):
+41AAAAAAACZ1P07FZHJEQA5CARTGavIPnH-f3KICbPe2ikqWuihuzXievslvRdz8Sjrr2Ca2xTa Mke1WUWBKLF2FSrkLEgn1ZP5kV6NpFbqu2qe1HXX8AAk6vZZAZT6N03]fwjXVXM2utVdjgHRX +F8qm-wsXPYUYHEHzaoktrFYm7CylhPIV7w4ZhPG0h6tJD9y0DfWDJPEfQdnB0SZ5p3AYoIAW Lss9Ecx319+621pB-jS3vzl0ggYTix5kojN=3GAyrM6TusJ]pdQR=KLoc6aV3MaMKfEaXCgncszwl aMQU0qSGigQR5Xm36MQ9IUFZNRIDk
If you do not receive an answer, write to me again, write at the same time to three mails))”
How is the payload file of {[email protected]}.exe ransomware distributed online?
The payload file of {[email protected]}.exe ransomware is most likely distributed via spam emails. This isn’t surprising as spam emails are the go-to distribution method commonly used not just by scarab developers but also other ransomware developers. Cyber crooks usually attach the malicious payload into these emails and tend to make them look like they were sent by some well-known company or group. This is why you need to be careful in opening emails even if it seem like it is sent by some trusted individual or company as it might contain the malicious payload of Scarab [email protected] ransomware.
Killing {[email protected]}.exe ransomware and its malicious components from your computer wouldn’t be that easy so you need to follow the given removal guide below carefully as well as the advanced steps that follows.
Step 1: Tap the Ctrl + Alt + Delete keys at the same time to open a menu and then expand the Shutdown options which is right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select Safe Mode with Networking.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.
Step 6: Go to the Processes tab and look for any suspicious-looking processes that could be related to {[email protected]}.exe ransomware and then end their processes.

Step 7: Exit the Task Manager and open the Programs and Features section under Control Panel by pressing the Windows key + R, then type in “appwiz.cpl” and then click OK or tap Enter.
Step 8: From there, look for any suspicious-looking programs that could be related to {[email protected]}.exe ransomware and then uninstall it.

Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Now navigate to the following locations and look for the malicious components created by {[email protected]}.exe ransomware like “!!! RESTORE YOUR FILES !!!.txt” and “[random].exe” and then make sure to delete them all.

• %APPDATA%
• %TEMP%
• %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
• %USERPROFILE%\Downloads
• %USERPROFILE%\Desktop

Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by {[email protected]}.exe ransomware.

• HKEY_CURRENT_USER\Control Panel\Desktop\
• HKEY_USERS\.DEFAULT\Control Panel\Desktop\
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Step 14: Delete the registry keys and sub-keys created by {[email protected]}.exe ransomware.
Step 15: Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if {[email protected]}.exe ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

To ensure the removal of {[email protected]}.exe ransomware from your system including the malicious components it has created on your system, follow the advanced steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
 

1. Turn on your computer. If it’s already on, you have to reboot it.
2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

3. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
4. Windows will now load the Safe Mode with Networking.
5. Press and hold both R key and Windows key.

6. If done correctly, the Windows Run Box will show up.
7. Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
8. After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
9. Once the installation process is completed, run [product-code] to perform a full system scan.

10. After the scan is completed click the “Fix, Clean & Optimize Now” button.