Ransomware Research

Scarab 2020-2022 Ransomware

Scarab 2020-2022 is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on April 1, 2020, this ransomware has been actively targeting systems worldwide.

Quick Facts

Ransomware Family
Scarab 2020-2022
First Seen
April 1, 2020

How Scarab 2020-2022 Ransomware Works

Targeted Files

8945204fd97ddfc26a89fc84423dec6ad4fa82a6b38fba1c4f771733f36cb4c4 -> requires C&C 9772f0297b3ad52912400aa7dc154bbc6624c7716589af490a3a3bc71ffc401f -> requires C&C (can be emulated with fakenetNG)

File Encryption Patterns

Scarab 2020-2022 modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..rbs..DecSec..ncov..scarry..worcservice@protonmail.ch..inc_evilsi@protonmail.ch..cov19..cashdashsentme@protonmail.com..one..coronavirus..hacker_decryption@protonmail.ch..FIXI..amnesia..MAKB..protomolecule@gmx.us..mail..[[File-Help1@Yandex.ru]].mail..[levandos@email.cz].trump..ctb-locker..ambrosia..[Help224@Ya.RU].LOCKED..saved..777..locked..Bioawards..(hupstore@keemail.me)..restoreserver..nginxhole..ARTEMY..aztecdecrypt@protonmail.com..BARRACUDA..[mrbin775@gmx.de].bin..bitcoin..bomber..bomber_test_build..deep..ukrain..sdk..glutton..hitler..iudgkwv..helpersmasters@airmail.cc..yourhope@airmail.cc..wewillhelp@airmail.cc..lolita..stevenseagal@airmail.cc..ironhead..rap..nano..moncrypt..aescrypt..crabs..fuchsia..kes$..harry..alilibat..o$l..sfs..lbkut..crash..crypt000..crypto..ERROR..nosafe..tokog..suffer..CYBERGOD..fastsupport@xmpp.jp..danger..[Dangerbtc@gmx.de].danger..onlinesupport@airmail.cc..supportfiless24@protonmail.ch..online24files@airmail.cc..fastrecovery@xmpp.jp..fastrecovery@xmppp..btchelp@xmpp.jp..inchin..decrypts@airmail.cc..decryptsairmail.cc..[grethen@tuta.io]..DiskDoctor..mammon..DD..Enter..lol..GEFEST..Gefest3..GFS..crabslkt..horsia@airmail.cc..HORSE..horsuke@nuke.africa..good..leen..fast..local..burn..[Jackie7@asia.com]..kitty..langolier..crypt..vally..croc..OBLIVION..omerta..osk..cosmos..frogo..red..please..REBUS..[Help-Mails@Ya.Ru].Scorpio..[firmabilgileri@bk.ru]..firmabilgileri..JohnnieWalker..xtbl..zzzzzzzz..Imshifau..encrypt

Ransom Note and Payment Demands

After encrypting files, Scarab 2020-2022 displays ransom notes demanding payment for file recovery:

fileИнструкция по расшифровке данных.TXT

Ransom message:

notes/Инструкция по расшифровке данных.TXT
fileКак расшифровать файлы scarry.txt

Ransom message:

notes/Как расшифровать файлы scarry.txt
fileИнструкция по расшифровке файлов.TXT

Ransom message:

notes/Инструкция по расшифровке файлов.TXT

Note locations:

EveryFolder
fileHOW TO RECOVER ENCRYPTED FILES.TXT

Ransom message:

notes/HOW TO RECOVER ENCRYPTED FILES.TXT

Note locations:

EveryFolder
fileTO RECOVER.TXT
fileHOW TO DECRYPT FILES.TXT

Ransom message:

notes/HOW TO DECRYPT FILES.TXT

Note locations:

EveryFolder
fileDECRYPT INFORMATION.TXT

Ransom message:

notes/DECRYPT INFORMATION.TXT

Note locations:

EveryFolder
fileHOW TO RESTORE FILES.TXT

Ransom message:

notes/HOW TO RESTORE FILES.TXT

Note locations:

EveryFolder
fileHOW TO RECOVER ENCRYPTED FILES - decrypts@airmail.cc.TXT

Ransom message:

notes/HOW TO RECOVER ENCRYPTED FILES - decrypts@airmail.cc.TXT

Note locations:

EveryFolder
fileКАК ВОССТАНОВИТЬ ЗАШИФРОВАННЫЕ ФАЙЛЫ.TXT

Ransom message:

notes/КАК ВОССТАНОВИТЬ ЗАШИФРОВАННЫЕ ФАЙЛЫ.TXT

Note locations:

EveryFolder
fileInstruction for file recovery.txt
fileИнструкция.TXT
fileInstruction.txt
fileread me.TXT
fileDECRYPT FILES.TXT

Ransom message:

notes/DECRYPT FILES.TXT
fileHOW TO RECOVER ENCRYPTED FILES SRV01.TXT
fileRECOVER ENCRYPTED FILES.TXT

Technical Indicators

Associated Executable Files

The following executable files are associated with Scarab 2020-2022 ransomware:

  • osk.exe
  • system.exe
  • coronavirus.exe
  • guide.exe
  • svchost.exe
  • bndf.exe
  • systemx.exe
  • svchostmsi.exe

Elastio Can Help You

Don't let Scarab 2020-2022 ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This Scarab 2020-2022 ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Scarab 2020-2022.

Last updated: July 30, 2025