Bart ransomware makes you eat its shorts, and then locks up your files

The developers behind the infamous ransomware Locky has released a new variant of its cryptomalware, which is simply called 'Bart.'

Being a variant of Locky, the ransomware features a similar look to its predecessor. It also encrypts a victim's files without connecting to a command and control (C&C) server.

The cybercriminals are utilizing RockLoader, an intermediate malware downloader which was also used in the Locky ransomware. This program is responsible for downloading Bart onto a victim's computer.

On June 24, researchers from Proofpoint, a cybersecurity company, detected an unusual large campaign with .zip email attachments, containing JavaScript codes. If the JS file is executed, the RockLoader program will take over, which will download the Bart ransomware to the unsuspecting victim's computer.

The malware attachment is quietly disguised as a compressed file allegedly containing images, as some of the file names detected by Proofpoint were "photos.zip", "image.zip", "Photos.zip", "photo.zip", "Photo.zip", or "picture.zip." The ZIP file contains something similar to "PDF_123456789.js," which initially looks like a PDF document, but has an extension made for JavaScript code. With this in consideration, the idea that the file name contains the acronym "PDF," and that the file's icon depicts a scroll of parchment could easily make an unaware person believe that the file is indeed a document.

Via Proofpoint

Once infected, a user's background will be modified to show the ransomware lock screen, and a "recover.txt" containing instructions on how to decrypt will be dropped as well. Bart will demand 3 Bitcoins, which is equal to almost $2000.

It will lock up files with the extension .mp3, .mp4, .jpg, .jpeg, .mov, .docx, .xlsx, .pptx, .pdf, and .zip, among many others. Once encryption is done, it will append a ".bart.zip" extension to all the files affected.

Prior to the encryption process, Bart detects the language the computer has installed. It has translations available in Italian, French, German, and Spanish. Moreover, it will automatically terminate if the system language is in Russian, Ukrainian, or Belarusian.

"Because Bart does not require communication with C&C infrastructure prior to encrypting files, Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic," according to Proofpoint.

The cybersecurity company is still investigating technical details about the ransomware.

Just recently, a similar ransomware was discovered, which also takes advantage of JavaScript code in order to trick users into executing the malware.

Source: Proofpoint via The Register

Report a problem with article
European Union flag
Next Article

7000 EU websites are protesting net neutrality loopholes, with 'EU Slowdown' campaign

Previous Article

Leaked document suggest Hillary Clinton wants broadband for all US households

10 Comments - Add comment

Advertisement