14 DAY TRIAL // After the return of the Necurs botnet and its main payload, the Locky ransomware, security experts have noticed new ransomware among all the spam the botnet spews on a daily basis.
Called Bart, based on the extension it adds to locked files, the ransomware is not as sophisticated as Locky but bears some resemblance to its older brother.
Because of the few Locky similarities and the fact that Bart is distributed from the same network from where most of the Locky spam originates, researchers think there is strong evidence to suggest that the same cyber-criminal group may have created Bart as well.
Bart distribution resembles Locky distribution
Looking at the technical side of the malware, researchers from PhishMe, Proofpoint, and numerous others who have tweeted their findings on Twitter have all noticed a few interesting oddities.
For starters, Bart resembles Locky because it's distributed in the same way, using email spam that delivers a ZIP archive, which, when unzipped, contains a malicious JS file.
Running the JS file downloads RockLoader, an intermediary piece of malware, which then downloads the Bart ransomware. Locky also uses RockLoader in its distribution.
Bart can work offline if needed
At this point, Bart starts showing some of its differences. While Locky would connect to its C&C server to negotiate the encryption process and save a copy of the private key on the server, Bart works without a server-side component.
All of Bart's encryption process is localized, in case the ransomware needs to run without an Internet connection.
"Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic," Proofpoint researchers point out. "Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables."
Bart locks files in password-protected archives
As for the encryption, things are different. Instead of encrypting files, Bart just places them in its each individual ZIP archive file and then secures the archive with a password.
A file like image.jpeg would be renamed to image.jpeg.bart.zip. Bart targets 159 different file types.
When the file locking process stops, Bart drops a ransom note, as a text file in each folder it locked files, and changes the user's desktop wallpaper. Researchers note that Bart uses the same ransom note and the same ransom wallpaper as Locky.
Despite not using a strong encryption, Bart asks for a lot of money
Bart asks for a whopping 3 Bitcoin (~$1,800) to unlock the victim's files, which is an extremely large sum. Each user receives an ID, and they have to go on a Dark Web portal to pay the ransom and receive a decrypter. This payment portal is also a carbon copy of the Locky payment portal.
Currently, researchers are still analyzing the ransomware. If a free decrypter for Bart appears, we'll be updating this post.
UPDATE [July 20, 2016]: A free decrypter capable of recovering files locked by the Bart ransomware has been published by AVG.
