The creators behind Locky and Dridex, two forms of ransomware being used earlier this year are believed to have yet created another form of Ransomware, named ‘Decryptor Bart’. Although very similar to its predecessors, Bart is designed differently and bares the additional ability to bypass corporate firewalls and deny victims access to their files without the use of command-and-control infrastructure or AES encryption. ProofPoint researchers report:
On June 24, ProofPoint researchers detected a large campaign with .zip attachments containing JavaScript code. If opened, these attachments download and install the intermediary loader RockLoader (previously discovered by ProofPoint and used with Locky), which in turn downloads the new ransomware called “Bart”.
The messages are being sent with the subject ‘photos’ that contain .zip attachments and just like many other types of ransomware, two file types are created, dropping recover.txt files into numerous folders within a PC. ‘Bart’ will then take over the desktop background, replacing it with recover.bmp (below image) in order to alert the victim that they have been infected or more so taken ransom and explaining the steps they must follow in order to retrieve their encrypted data.
In order to retrieve the data, the cybercriminals demand that the user visits one the provided web domains and pays 3 bitcoins. As of June 2016 this amount sits just under $2000 usd and is a much higher ransom price compared to what is normally around 0.5 -1 bitcoin ($300 – $700).
ProofPoint have reported that the payment portal is almost visually identical to the one used by Locky, with only changes made to the title ‘Locky Decryptor’ where it is now ‘Decryptor Bart’. It was also mentioned that although the payment portals for Locky and Bart are visually identical, the ransomware code is unique from the coding of Locky. Graham Cluley explains:
“Rest assured, however, that Bart isn’t a Locky copy. This new ransomware distinguishes itself from most other ransomware in two ways when it comes to its encryption algorithm”.
Where ransomware usually uses a C&C infrastructure, Bart does not require C&C communication prior to to encrypting the user’s files and instead uses a victim identifier in order to inform the actor of what decryption should be used to create a decryption application. Due to this, Bart has the ability to bypass corporate firewalls that would otherwise block such traffic in order to encrypt highly secure computers.
Furthermore, the Bart ransomware does not deny users access to their files in the way a normal crypto-ransomware would. Phishme researchers report that:
“Most encryption ransomware has traditionally relied upon a sophisticated asymmetric, public-private key pair or the creation of a distinct symmetric encryption key for encryption. This key is generally passed to the threat actor’s infrastructure at the time of encryption for later use. However, Bart simply places its targeted files in individual zip archives and applies password protection to these archives”.
ProofPoint have concluded that they are still investigating the technical details of ‘decryptor bart’ as the connections between Bart and Dridex/Locky are significant. Furthermore organizations need to ensure that they block zipped executables to avoid the possibility of such infection.
Source: ProofPoint, GrahamCluley, Phishme.
Image: Kertoon
