A new threat has recently been discovered by security researchers at Phishme: Bart ransomware. The new ransomware variant is not as sophisticated as Locky and Samsa, but it is still highly effective and poses a risk to businesses. Should end users be fooled into opening spam emails, file recovery will only be possible via backups if the ransom demand is not paid.

Bart Ransomware Locks Files in Password-Protected ZIP Files

Bart Ransomware bears a number of similarities to other ransomware variants that have been discovered in recent months. If installed on a device, media files, photos, documents, spreadsheets, databases, and a host of other files are located and encrypted. Bart ransomware also encrypts .n64 ROM files, which was previously unique to Locky ransomware. Bart is also delivered using the same Dridex botnet that was used to deliver Locky.

Bart ransomware also uses a payment interface that looks very similar to Locky. However, there are notable differences to Locky and other ransomware variants. Bart demands a particularly high payment from its victims. Rather than a demand of 0.5 Bitcoin, Bart asks for 3 Bitcoin per infected machine – Approximately $1988 per device.

There are also notable differences in the method used to encrypt files. Bart doesn’t use public key cryptography. Files are added to zip files which are then password protected. In order to unzip files, a password must be supplied. These passwords are only supplied to the victim if the sizeable ransom is paid.

Bart also does not use the typical command and control center infrastructure. Most new ransomware variants communicate with the attackers’ command and control center before files are encrypted, but that does not appear to happen with Bart.

New Ransomware Variant Delivered via Spam Emails

The campaign uses spam emails to deliver malicious Javascript files, which are disguised as image files. End users may be fooled into opening the attachments in the belief they are simply images. However, if the attachments are opened, JavaScript is executed and Rocketloader is downloaded. Rocketloader installs Bart ransomware and is also capable of downloading a variety of other malware.

The ransomware has been developed to attack users in the west, and will not lock files if the operating system is in Russian, Ukrainian, or Belorussian.

To prevent infection, it is essential that end users do not open the infected email attachments. Since the emails may appear benign to end users, organizations should take steps to prevent the spam emails from being delivered. One way of doing this is to use SpamTitan. SpamTitan can be configured to block zip files and prevent them from being delivered to end users.

If spam emails are not delivered, end users will not be able to inadvertently infect their devices. Furthermore, the cost of deploying SpamTitan is likely to be considerably less than the cost of a single ransom payment to resolve a Bart infection.