Bart Ransomware Locks Files in Password-protected ZIP Files

A new ransomware that bears several similarities with Locky has been discovered masquerading as photos distributed via spam emails. Called Bart (identified by Trend Micro as RANSOM_BART.A), this ransomware is delivered by the same Rockloader downloader over HTTPS.  

According to findings, Bart does not connect to a command and control (C&C) server, and while Bart is deemed "very mainstream", it stands out for its simplicity and efficiency. Two details make it stand out: its lack of C&C infrastructure, and the method it uses to prevent victims from accessing their files. “The ransomware is believed to rely on the distinct victim identifier to indicate to the threat actor what decryption key should be used to create the decryption applicator purported to be available to those victims who pay the ransom,” according to the blog.

Unlike most of the current crypto-ransomware families that encrypts individual files, Bart does not utilize public key cryptography like RSA. Instead, it scans for files with certain extensions such as archives, music, photos, documents, databases, and videos, and then locks them in password-protected .zip archives using the name format “original_name.extension.bart.zip”. The attackers behind Bart use only a Tor-hosted payment gateway called “Decryptor Bart Page” where victims can tender their malware-generated unique ID, pay the ransom, and receive their decryptor. The ransom note is localized in English, Spanish, Italian, French, and German, and will default in English if the computer is not using one of the supported localizations. Once payment has been made, it will be detected and displayed on the website, and, after several bitcoin confirmations, the website will offer the decryptor for download.

Locking files in password-protected archives in lieu of advanced encryption might be simple, but it can still be effective. While the Bart ransomware certainly presents a threat to affected users, password-protected archives aren't as sophisticated, and can possibly be opened with the use of widely-available password-cracking tools.

Some best practices can be used to prevent getting infected by ransomware in the first place. Avoid opening unverified emails and links, while regularly updating software and applications can reduce the risk of getting infected through exploits. Backing up files using the 3-2-1 rule—create 3 backup copies on 2 different media with 1 backup in a separate location—is also an effective way to ensure that the damage from a ransomware attack is minimized.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by crypto-ransomware such as Bart.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.