Ransomware Research
Scarab-Bomber Ransomware
Scarab-Bomber is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on May 1, 2018, this ransomware has been actively targeting systems worldwide.
Quick Facts
- Ransomware Family
- Scarab-Bomber
- First Seen
- May 1, 2018
How Scarab-Bomber Ransomware Works
Targeted Files
https://www.hybrid-analysis.com/sample/96e8ad58e2d5a12f62157f7f76d8c06330871379e2be0dfdfb74e0973041dc13/63de607caedcb24dbe1d70f0 https://app.any.run/tasks/37701682-5e6c-4d83-a581-9232a78cc7c5/ https://app.any.run/tasks/5491aa1e-3de0-4a8c-8f16-e565851549d8/ https://twitter.com/demonslay335/status/1183113858854113280 https://app.any.run/tasks/4e70ee5a-bd01-459f-a770-742f1d85c72a/
File Encryption Patterns
Scarab-Bomber modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..bomber_test_build..bomber..deep..ukrain..sdk..glutton..hitler..iudgkwv..helpersmasters@airmail.cc..yourhope@airmail.cc..wewillhelp@airmail.cc..stevenseagal@airmail.cc..ironhead..rap..nano..moncrypt..aescrypt..crabs..fuchsia..kes$..alilibat..o$l..sfs..lbkutRansom Note and Payment Demands
After encrypting files, Scarab-Bomber displays ransom notes demanding payment for file recovery:
HOW TO RECOVER ENCRYPTED FILES.TXTRansom message:
notes/HOW TO RECOVER ENCRYPTED FILES.TXT
Note locations:
EveryFolder!!!HOW TO RECOVER ENCRYPTED FILES!!!.TXTRansom message:
notes/!!!HOW TO RECOVER ENCRYPTED FILES!!!.TXT
How to restore files.TXTRansom message:
notes/How to restore files.TXT
Note locations:
EveryFolderHow to restore encrypted files.txtRansom message:
notes/How to restore encrypted files.txt
PLEASE READ.TXTRansom message:
notes/PLEASE READ.TXT
Note locations:
EveryFolderHOW TO DECRYPT FILES.TXTRansom message:
notes/HOW TO DECRYPT FILES.TXT
DECRYPT FILES.TXTRansom message:
notes/DECRYPT FILES.TXT
Инструкция по расшифровке.TXTRansom message:
notes/Инструкция по расшифровке.TXT
DECRYPT.TXTRansom message:
notes/DECRYPT.TXT
Инструкция по расшифровке o$l.TXTRansom message:
notes/Инструкция по расшифровке o$l.TXT
КАК РАСШИФРОВАТЬ ФАЙЛЫ.TXTRansom message:
notes/КАК РАСШИФРОВАТЬ ФАЙЛЫ.TXT
Note locations:
EveryFolderВАШИ ФАЙЛЫ ЗАШИФРОВАНЫ.TXTRansom message:
notes/ВАШИ ФАЙЛЫ ЗАШИФРОВАНЫ.TXT
Note locations:
EveryFolderИнструкция по расшифровке файлов.TXTTechnical Indicators
Associated Executable Files
The following executable files are associated with Scarab-Bomber ransomware:
ScarabRansomwareUPX.exeosk.exeWhere Millionfile000_osk.exemyfile.exemsvcp_win.dlldeep.exed3dcompiler_43.dllAbandonAbandon.exesevnz.exeInitiativesInitiatives.exe1.exe_.scr.exe.binap1.exe_ap1.exeRacksnero.exenero.binseek1011_output_8cr64.exesvchoste.exe29. 08. 2019 .scr
Elastio Can Help You
Don't let Scarab-Bomber ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Scarab-Bomber ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Scarab-Bomber.
Last updated: July 30, 2025