Pierluigi Paganini
June 30, 2016
Similar to other ransomware, infected users are notified of the compromise with their desktop backgrounds changed with a warning, confirming that their files have been encrypted and offering a number of URLs accessible via the TOR network where they can receive instructions on obtaining their private keys. Recovery instructions are also placed into a text file names recover.txt and located in many of the users folders.
A screenshot of the desktop wallpaper recover.bmp
Unlike previous versions the cost of unlocking encrypted files has increased dramatically to 3 bitcoins (at time of writing equating to around 1425 Pounds Sterling or 1900 US Dollars) compared to the initial 0.5 or 1 bitcoin of its predecessors.
This particular ransomware was first discovered a few days ago by security vendor Phishme.
It differs greatly in operation from previous malware from presumably the same authors, notably in its lack of reliance on Command and Control servers, thus reducing the required investment and complexity on the attacker’s side.
Similar to Locky and Dridex the tool employs rogue JavaScript, invoking the Rockloader malware for delivery which is disseminated via ZIP attachments within emails, often containing permutations of the names photos.zip, pictures.zip or image.zip.
Other similarities include the payment portals, coding structure, email distribution mechanism and curiously the encryption of .n64 ROM files, with Locky being the only other malware to do this.
The ransom note, which displays itself as the desktop background is localized for English, Spanish, French, German and Italian and interestingly if the user’s language pack is detected in Russian, Ukrainian or Belorussian the users’ files aren’t encrypted.
Instead of employing the typical C2 key pair storing procedure where the encrypted files key is passed to the attackers command servers only available on release following payment of the ransom, Bart malware operates by placing the victims files in password protected ZIPs.
Bart malware ’s payment portal, almost identical to that of Locky
The methods of operation and increased cost in terms of the price of the ransom, shows a worrying change in direction from the authors of these already difficult and potentially crippling digital infections.
The cost of operations and complexity have reduced on the attackers side, which arguably will see a rise in the volume of these attacks as the tools become more accessible to a larger number of malicious players.
The hardest hit in this latest wave won’t be the organizations who can respond quickly to these threats, employ an adequate backups system for restore in occasion of compromise and have the ability the filter the included attachment names at the perimeter but instead the numerous security naive end users on their home machines.
This, coupled with the increased cost for unlocking, could see Bart malware as one of the most destructive and intrusive forms of malware to date, particularly within the public realm.
Written by: Steven Boyd
Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.
Twitter: @CybrViews
[adrotate banner=”9″]
(Security Affairs – Bart malware, hacking)
