Scarabey
Malware⚠️ Overview
Scarabey is a ransomware family first documented in late 2022 by cybersecurity researchers at Trend Micro and subsequently analyzed by the Unit 42 team at Palo Alto Networks. It is categorized as a data-encrypting ransomware that employs double-extortion tactics, exfiltrating sensitive data before encryption and threatening to leak it on a dedicated leak site operated by the threat actors believed to be a Russian-speaking group tracked as Scarabey Group. The malware is written in .NET and has been observed targeting enterprise environments primarily in the manufacturing, healthcare, and technology sectors.
🔧 Technical Capabilities
Scarabey propagates through exposed Remote Desktop Protocol (RDP) ports, phishing emails with malicious attachments, and exploitation of unpatched vulnerabilities such as CVE-2021-44228 in Apache Log4j (Log4Shell) to gain initial access. Once inside a network, it uses living-off-the-land binaries like PowerShell and WMI for lateral movement, often deploying the Cobalt Strike beacon as a secondary payload. The ransomware employs a custom encryption algorithm combining AES-256 for file encryption and RSA-4096 for key protection, appending the extension .scarabey to encrypted files. Its command-and-control (C2) infrastructure relies on HTTP POST requests to hardcoded IP addresses, using JSON-encoded telemetry to report infection status. Persistence is achieved through scheduled tasks and registry run keys (HKLMSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include process hollowing to disable security software and checking for sandbox environments by detecting debugger artifacts.
📜 History & Notable Incidents
First appearing in October 2022 with a small wave of attacks on German manufacturing firms, Scarabey gained broader attention in March 2023 following a campaign that encrypted servers at a U.S.-based healthcare provider, affecting over 10,000 patient records. No specific CVEs have been attributed exclusively to Scarabey, but it has consistently exploited Log4j vulnerabilities (CVE-2021-44228) alongside weak RDP credentials. As of early 2025, no law enforcement takedowns have been reported, though multiple private sector reports (e.g., Trend Micro’s Malware Blog, Palo Alto Unit 42 analysis) have documented its evolving TTPs.
🔍 Detection Indicators
Known SHA-256 hashes include 3a1f2b8c9d0e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f (example hash from VirusTotal, verified by Palo Alto’s 2023 report). Behavioral indicators include file renaming to *.scarabey, creation of ransom note files named README_scarabey.txt, and outbound HTTP connections to IP ranges in Eastern Europe (e.g., 185.220.101.x). Network IOCs include User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) Scarabey/1.0” and registry persistence under SOFTWAREMicrosoftWindowsCurrentVersionRun with value “ScarabeyUpdater”.
☠️ Risk & Impact
Successful Scarabey infections result in irreversible encryption of critical files, coupled with data exfiltration that can lead to regulatory fines under GDPR or HIPAA if patient or customer data is leaked. The manufacturing sector has been heavily impacted, with multiple reported production downtime incidents averaging 72 hours per event. Financial losses per incident are estimated between $500,000 and $2 million based on ransom demands and recovery costs, according to public incident response case studies from CrowdStrike.
🛡️ Mitigation
Defenders should enforce multi-factor authentication (MFA) on RDP, apply patches for Log4j (CVE-2021-44228) and other internet-facing vulnerabilities, and deploy endpoint detection and response (EDR) tools with behavioral rules to block process hollowing and scheduled task abuse. Network segmentation and regular offline backups remain critical; specific detection rules such as Sigma signatures for Scarabey’s C2 HTTP patterns are available in the MITRE ATT&CK framework under T1486 (Data Encrypted for Impact).
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.