Ransomware Research

Scarab-Bomber Ransomware

Scarab-Bomber is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on May 1, 2018, this ransomware has been actively targeting systems worldwide.

Quick Facts

Ransomware Family
Scarab-Bomber
First Seen
May 1, 2018

How Scarab-Bomber Ransomware Works

Targeted Files

https://www.hybrid-analysis.com/sample/96e8ad58e2d5a12f62157f7f76d8c06330871379e2be0dfdfb74e0973041dc13/63de607caedcb24dbe1d70f0 https://app.any.run/tasks/37701682-5e6c-4d83-a581-9232a78cc7c5/ https://app.any.run/tasks/5491aa1e-3de0-4a8c-8f16-e565851549d8/ https://twitter.com/demonslay335/status/1183113858854113280 https://app.any.run/tasks/4e70ee5a-bd01-459f-a770-742f1d85c72a/

File Encryption Patterns

Scarab-Bomber modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..bomber_test_build..bomber..deep..ukrain..sdk..glutton..hitler..iudgkwv..helpersmasters@airmail.cc..yourhope@airmail.cc..wewillhelp@airmail.cc..stevenseagal@airmail.cc..ironhead..rap..nano..moncrypt..aescrypt..crabs..fuchsia..kes$..alilibat..o$l..sfs..lbkut

Ransom Note and Payment Demands

After encrypting files, Scarab-Bomber displays ransom notes demanding payment for file recovery:

fileHOW TO RECOVER ENCRYPTED FILES.TXT

Ransom message:

notes/HOW TO RECOVER ENCRYPTED FILES.TXT

Note locations:

EveryFolder
file!!!HOW TO RECOVER ENCRYPTED FILES!!!.TXT

Ransom message:

notes/!!!HOW TO RECOVER ENCRYPTED FILES!!!.TXT
fileHow to restore files.TXT

Ransom message:

notes/How to restore files.TXT

Note locations:

EveryFolder
fileHow to restore encrypted files.txt

Ransom message:

notes/How to restore encrypted files.txt
filePLEASE READ.TXT

Ransom message:

notes/PLEASE READ.TXT

Note locations:

EveryFolder
fileHOW TO DECRYPT FILES.TXT

Ransom message:

notes/HOW TO DECRYPT FILES.TXT
fileDECRYPT FILES.TXT

Ransom message:

notes/DECRYPT FILES.TXT
fileИнструкция по расшифровке.TXT

Ransom message:

notes/Инструкция по расшифровке.TXT
fileDECRYPT.TXT

Ransom message:

notes/DECRYPT.TXT
fileИнструкция по расшифровке o$l.TXT

Ransom message:

notes/Инструкция по расшифровке o$l.TXT
fileКАК РАСШИФРОВАТЬ ФАЙЛЫ.TXT

Ransom message:

notes/КАК РАСШИФРОВАТЬ ФАЙЛЫ.TXT

Note locations:

EveryFolder
fileВАШИ ФАЙЛЫ ЗАШИФРОВАНЫ.TXT

Ransom message:

notes/ВАШИ ФАЙЛЫ ЗАШИФРОВАНЫ.TXT

Note locations:

EveryFolder
fileИнструкция по расшифровке файлов.TXT

Technical Indicators

Associated Executable Files

The following executable files are associated with Scarab-Bomber ransomware:

  • ScarabRansomwareUPX.exe
  • osk.exe
  • Where Million
  • file000_osk.exe
  • myfile.exe
  • msvcp_win.dll
  • deep.exe
  • d3dcompiler_43.dll
  • Abandon
  • Abandon.exe
  • sevnz.exe
  • Initiatives
  • Initiatives.exe
  • 1.exe
  • _.scr.exe.bin
  • ap1.exe_
  • ap1.exe
  • Racks
  • nero.exe
  • nero.bin
  • seek1011_output_8cr64.exe
  • svchoste.exe
  • 29. 08. 2019 .scr

Elastio Can Help You

Don't let Scarab-Bomber ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This Scarab-Bomber ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Scarab-Bomber.

Last updated: July 30, 2025

Scarab-Bomber Ransomware - Detectable by Elastio