ScareCrow (2022)
Decryptor Available
Yes
Description
The 2022 version of ScareCrow, completely unrelated to the 2019 version, was created by threat actors who leveraged the leaked Conti v2 ransomware builder. As such, it shares most of the characteristics of Conti v2. Most notably, the hybrid mechanism used for file encryption - ChaCha20 encrypts the files, and RSA-4096 encrypts the ChaCha20 key to ensure the victim can't extract that key. The ScareCrow crypto-ransomware drops a simple ransom note that asks victims to contact the ransomware operators using one of three Telegram accounts. Aside from the one sample that changed file extensions to '<file name>.CROW' and knowing it was discovered in late October 2022, there aren't many more notable artifacts to relay.
Ransomware Type
Crypto-Ransomware
First Seen
Last Seen
Extortion Types
Direct Extortion
Communication
Medio
Identificativo
Telegram
@ScareCrowRestore1
Telegram
@ScareCrowRestore2
Telegram
@ScareCrowRestore3
Encryption
Type
Hybrid
Files
ChaCha20
Key
RSA-4096
File Extension
<file name>.CROW
Ransom Note Name
readme.txt
Ransom Note Image
Samples (SHA-256)
7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f
References & Publications