A new ransomware has appeared recently, which was created by the developer of Dridex Trojan and Locky ransomware
The new threat is called Bart and it includes code similarities and identical distribution mechanism to Locky ransomware. These were the features that allowed researchers to make the connection between the two malicious threats.
The encryption features of Bart are quite similar to the typical crypto ransomware, though it comes with its particular features too, such as the lack of a command and control (C&C) server to connect to before starting the encryption.
Researchers from PhishMe claim that, although Bart is a mainstream encryption ransomware, it comes with particular means of denying victims access to their files. Besides, Bart ransomeware shares interface elements used in the Locky ransom payment page, though its main feature is the ability to encrypt users’ files without having to report to a C&C server first. Instead, Bart might rely on the distinct victim identifier to inform the malware developer what decryption key should be used when providing the victim with a decryption tool.
In fact, Bart doesn’t rely on sophisticated encryption techniques to encrypt files, but it just places files in individual password protected zip archives. Additionally, the ransomware appends the .bart.zip extension to the affected files.
Bart drops ransom notes in all directories where files have been encrypted. According to security experts, “these ransom note files contain a unique identifier passed as a parameter to the Tor-hosted payment sites when the victim visits any of the links within the note.” Apart from this, they reveal that the only difference between Bart’s ransom note and Locky’s is the significantly larger 3 Bitcoin demand, compared to the 0.5 Bitcoin demand made by Locky.
Usually, Bart ransomware is distributed via malicious JavaScript attachments in phishing emails, which would download and execute the RockLoader dropper (this was previously seen downloading Dridex, Locky and Pony/Kegotip info-stealers). According to he experts, the downloader was observed leveraging XOR to hide the malicious executable while downloading it.
Since the beginning of this month, Locky and Dridex have been mostly inactive, while Necurs botnet, which is responsible for virtually all of the distribution of these two threats, suffered an outage. The infection operations resumed about a week ago, when Locky displayed new anti-analysis techniques which made payloads more difficult to detect. RockLoader’s use of XOR to hide the malicious executable it downloads appears related to the improvement of Locky.
Since its appearance, Bart has attacked mainly users in USA, though according to the researchers from Proofpoint, it might become an international threat soon, following on the footsteps of Dridex and Locky.
Currently, Bart ransomware has translations available in Italian, French, German, and Spanish, but it also checks the system language on the infected machine, to avoid infecting Russian, Ukrainian, and Belorussian users.
The Proofpoint experts also say that Bart and Locky appear related: they have the same email distribution mechanism, a similar ransom message, the same payment portal style, and both use the same RockLoader server to host malicious payloads. In addition, the researchers explain that some amount of code appears shared between Locky and Bart, such as the code that sets the user’s Desktop background.
The thing which amazes the experts most is the fact that, because Bart does not require communication with C&C infrastructure prior to encrypting files, the threat may be targeted at corporate networks, as it would be able to encrypt PCs behind corporate firewalls that would normally block its traffic.
“Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables,” the experts state.
