Bart Ransomware Doesn’t Require C&C Server to Encrypt Files

There’s a new player in the ransomware segment that appears to have been created by the actor behind the Dridex Trojan and the Locky ransomware, researchers warn.

Dubbed Bart, the new ransomware threat includes code similarities to Locky, as well as a similar distribution mechanism, which allowed researchers to make the connection between the two. It has encryption features similar to the typical crypto ransomware, yet it comes with its particular features too, such as the lack of a command and control (C&C) server to connect to before starting the encryption.

According to PhishMe researchers, although Bart is a mainstream encryption ransomware, it comes with particular means of denying victims access to their files. Bart also shares interface elements used in the Locky ransom payment page, but its main feature is the ability to encrypt users’ files without having to report to a C&C server first.

Instead, the malware might rely on the distinct victim identifier to tell the threat actor what decryption key should be used when providing the victim with a decryption tool. To encrypt files, Bart doesn’t rely on sophisticated encryption techniques, but simply places files in individual password protected zip archives. The ransomware appends the .bart.zip extension to the affected files, Proofpoint researchers noticed.

The ransomware drops ransom notes in all directories where files have been encrypted, and researchers explain that “these ransom note files contain a unique identifier passed as a parameter to the Tor-hosted payment sites when the victim visits any of the links within the note.” Moreover, they reveal that the only difference between Bart’s ransom note and Locky’s is the significantly larger 3 Bitcoin demand, compared to the 0.5 Bitcoin demand made by Locky.

Bart is delivered in the form of malicious JavaScript attachments in phishing emails, which would download and execute the RockLoader dropper (which was previously seen downloading Dridex, Locky and Pony/Kegotip info-stealers). The downloader was observed leveraging XOR to hide the malicious executable while downloading it, researchers say.

Dridex and Locky have been mostly inactive since early June, when the Necurs botnet, which is responsible for virtually all of the distribution of these two threats, suffered an outage. The infection operations resumed last week, when Locky displayed new anti-analysis techniques that made payloads more difficult to detect. RockLoader’s use of XOR to hide the malicious executable it downloads appears related to this Locky improvement.

For the time being, Bart appears targeted mainly at users in the United States, but Proofpoint researchers say that it might become an international threat soon, following on the footsteps of Dridex and Locky. The ransomware has translations available in Italian, French, German, and Spanish, but it also checks the system language on the infected machine, to avoid infecting Russian, Ukrainian, and Belorussian users.

Proofpoint too reveals that Bart and Locky appear related: they have the same email distribution mechanism, a similar ransom message, the same payment portal style, and both use the same RockLoader server to host malicious payloads (Dridex 220 is hosted there too). Moreover, researchers explain that some amount of code appears shared between Locky and Bart, such as the code that sets the user’s Desktop background.

What Proofpoint researchers stress upon is the fact that, because it does not require communication with C&C infrastructure prior to encrypting files, Bart may be targeted at corporate networks, because it would be able to encrypt PCs behind corporate firewalls that would normally block its traffic. “Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables,” researchers say.