This is a security alert for all TruShield clients, the financial services industry, and the community as a whole. We have learned about a new ransomware called Bart that is from the same developers behind Dridex and Locky.
About Bart Ransomware
Security researchers from Proofpoint discovered a new ransomware called Bart. For a user to get infected with Bart, a malicious actor will send them spam email with subjects to entice them into opening the malicious email. Then once the user opens the email with the attachments, it is downloaded and installed. It uses RockLoader to download Bart ransomware over HTTPS. Once a user is infected with the malware their files become encrypted.
The encryption used is not a cryptographic algorithm such as AES. Bart uses a password-protected ZIP file archive to encrypt the data of users that are victims and adds .bart.zip as the extension to the new file. After the data is encrypted, a ransom note will display demanding users to pay three bitcoins to get the password to decrypt the user’s zipped files. If the user does not pay, they will not get their file back. A unique thing about this ransomware is that it does not connect to a command and control server when it encrypts data. It uses the URL “id” parameter to transfer information that is necessary. According to Proofpoint researchers, the first campaign of Bart seems to be largely targeting the US, but they don’t believe that this will be the only country targeted because of available translations for the recovery files. Bart ransomware does not need internet communication to infect a computer because it does not communicate with any networks.
Files that are encrypted by Bart:
Files Bart will not zip:
|PerfLogs||Program Files (x86)|
|$Recycle.Bin||System Volume Information|
How Does Bart Relate to Other Ransomware?
Bart is said to be created by the same developers as Locky and Dridex because of the intermediary loader that it uses known as RockLoader, the same loader employed by Locky. The payment screen that it uses is also like Locky’s. It relates to Dridex because, according to researches, Bart uses the same email distribution mechanism and server that were hosting Locky and Dridex. It also shares similar code information to Locky.
Indicators of Compromise
Bart uses spam messages to infect its victims. Below are some of the signs of compromise:
|Photos.zip email attachment SHA256|
|FILE 21076073.js file inside Photos.zip SHA256|
|Rockloader Payload SHA256|
|6kuTU1.exe (Bart ransomware)|
- Block zipped executables at the email gateway.
- Raise awareness among users about not opening email from unreliable sources.
- Be careful with emails that contain file extensions and do not open them.
- Keep computer software and browers up-to-date.
- Make sure backups are taking place.
Bart is a new ransomware that is similar to Locky and Dridex, but different in how it encrypts files, by not requiring C&C communication. Since the campaign for this malware has just started, the target country appears to be the US, but it may shortly start to target other countries. Please note that this ransomware is still under further analysis in order to gain more insight on how it encrypts files, and the communication that takes place during the process. The researchers at Proofpoint has said that due to the lack of communication with the C&C server, this malware may target corporate networks, due to its ability to bypass the corporate firewalls.