Bart - a new Ransomware

Published: 2016-06-26
Last Updated: 2016-06-26 17:27:07 UTC
by Rick Wanner (Version: 3)
9 comment(s)

Phishme is reporting the discovery of a new ransomware which its creators have named Bart. Bart shares several commonalities with the Locky ransomware.  Bart is delivered by the same downloader, RockLoader.  The payment site bares a striking resemblance to the Locky page. 

But Bart also deviates from Locky in other ways.  The ransom is much higher, 3 Bitcoins, approximately $2000.  But probably the most striking difference is that unlike most ransomware variants Bart does not require a command and control to facilitate the encryption and in fact looks like it has no command and control capability.  Bart does not utilize the complex public-private key or symmetric encryption methods that have become common in ransomware.  Instead it stores the encrypted files in password protected zip files, and utilizes a victim id and a tor-based payment website to  facilitate decryption.

Unfortunately, no decrpyter is yet available.

More information on Bart can be found at the Phishme website.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: ransomware
9 comment(s)

Comments

Hi, I have a client with the Bart ransom, you said PHISHME created a decrypter? can you point me in the right direction?
Sorry, I thought I linked it in the diary. It is linked in the new version.

The URL to the python decrypter is: http://phishme.com/wp-content/uploads/xor_decode.txt
Excuse me for my ignorance, but do I just install python and run the script? I see in the article where they are pulling the "key" but isn't that unique to each encryption?
I could be wrong but my reading of the article indicates that the decoder is only for the .exe files that are stored on the Rockloader payload site.
The decryptor mentioned on Phishme's site is for the executables, not the encrypted files. The Rockloader payloads are encrypted. That javascript allows the executables to be decrypted and thus analyzed.

Unfortunately, there is no decryptor for Bart encrypted files as of yet.
Ok, that's what I was thinking. This thing deleted the shadow copies? Any ideas? Thanks
Sorry, I misread the article. The decrypter is for the binaries found on the distribution site, not the Bart encrypted files. There is not yet a decrypter available for the encrypted files.

I have updated the diary to be accurate.
[quote=comment#37327]Ok, that's what I was thinking. This thing deleted the shadow copies? Any ideas? Thanks[/quote]

Nuke the infested systems, then restore them from your backup.
Afterwards secure them properly:
1. no administrative rights for users (no, UAC is a bad joke);
2. no execute permission for users in directories where they can (over)write files (see http://home.arcor.de/skanthak/SAFER.html or http://www.mechbgon.com/srp/index.html);
3. remove all unsupported and outdated software, and patch the remaining software to their current and maintained version.
Ransomware Attacks: How Our Technologies Could Be Affected & What We Can Do
https://www.evolving-science.com/information-communication/ransomware-attacks-how-our-technologies-could-be-affected-what-we-can-do-00621

Found something interesting.

Diary Archives