• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Dridex and Locky authors revamped the Bart malware

Dridex and Locky authors revamped the Bart malware

Pierluigi Paganini June 30, 2016

The authors responsible for Dridex and Locky malware have recently made another appearance, this time with their latest release – Bart malware.

Similar to other ransomware, infected users are notified of the compromise with their desktop backgrounds changed with a warning, confirming that their files have been encrypted and offering a number of URLs accessible via the TOR network where they can receive instructions on obtaining their private keys. Recovery instructions are also placed into a text file names recover.txt and located in many of the users folders.

bart malware

A screenshot of the desktop wallpaper recover.bmp

Unlike previous versions the cost of unlocking encrypted files has increased dramatically to 3 bitcoins (at time of writing equating to around 1425 Pounds Sterling or 1900 US Dollars) compared to the initial 0.5 or 1 bitcoin of its predecessors.

This particular ransomware was first discovered a few days ago by security vendor Phishme.

It differs greatly in operation from previous malware from presumably the same authors, notably in its lack of reliance on Command and Control servers, thus reducing the required investment and complexity on the attacker’s side.

Similar to Locky and Dridex the tool employs rogue JavaScript, invoking the Rockloader malware for delivery which is disseminated via ZIP attachments within emails, often containing permutations of the names photos.zip, pictures.zip or image.zip.

Other similarities include the payment portals, coding structure, email distribution mechanism and curiously the encryption of .n64 ROM files, with Locky being the only other malware to do this.

The ransom note, which displays itself as the desktop background is localized for English, Spanish, French, German and Italian and interestingly if the user’s language pack is detected in Russian, Ukrainian or Belorussian the users’ files aren’t encrypted.

Instead of employing the typical C2 key pair storing procedure where the encrypted files key is passed to the attackers command servers only available on release following payment of the ransom, Bart malware operates by placing the victims files in password protected ZIPs.

bart malware 2

Bart malware ’s payment portal, almost identical to that of Locky

The methods of operation and increased cost in terms of the price of the ransom, shows a worrying change in direction from the authors of these already difficult and potentially crippling digital infections.

The cost of operations and complexity have reduced on the attackers side, which arguably will see a rise in the volume of these attacks as the tools become more accessible to a larger number of malicious players.

The hardest hit in this latest wave won’t be the organizations who can respond quickly to these threats, employ an adequate backups system for restore in occasion of compromise and have the ability the filter the included attachment names at the perimeter but instead the numerous security naive end users on their home machines.

This, coupled with the increased cost for unlocking, could see Bart malware as one of the most destructive and intrusive forms of malware to date, particularly within the public realm.

Written by: Steven Boyd

Steven Boyd

Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews

 

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Bart malware, hacking)


facebook linkedin twitter

Bart malware Cybercrime Dridex Hacking Locky ransomware

you might also like

Pierluigi Paganini July 13, 2025
Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION
Read more
Pierluigi Paganini July 12, 2025
McDonald’s job app exposes data of 64 Million applicants
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 13, 2025

    McDonald’s job app exposes data of 64 Million applicants

    Hacking / July 12, 2025

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Cyber Crime / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT