PINDROP BLOG

New Bart Ransomware Released By Locky Crew

Because the world definitely needed another nasty piece of ransomware, the attackers who created the Locky ransomware have produced a new variant known as Bart, which is targeting victims in the United States and demanding nearly $2,000 for the decryption key.

Bart appears to be a rather close relative of Locky and uses an intermediate piece of malware called RockLoader. After a victim opens an email with an infected attachment and runs the attachment, the RockLoader malware then installs Bart. Researchers at Proofpoint discovered the Bart ransomware late last week and said that it is mainly targeting users in the United States with a variety of infected attachments. Once the Bart ransomware is on a machine, it encrypts all of the user’s files and drops a file with recovery and payment instructions.

“Prior to writing the ‘recover’ files, the malware determines the user’s system language. It has translations available in Italian, French, German, and Spanish. The malware also uses the system’s language to avoid infecting systems of Russian, Ukrainian, and Belorussian users. This first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, we do not expect Bart to remain this localized,” Proofpoint said in an analysis of the new ransomware.

The Bart ransomware instruction screen has plenty of helpful information on how to purchase Bitcoins for payment and is demanding three Bitcoins from each victim. That puts Bart’s ransom at the higher end of the scale right now, and the Proofpoint researchers say that the new variant is troubling for another reason, as well.

“While we are still investigating the technical details of this new ransomware, the connections between Bart and Dridex/Locky are significant. Because Bart does not require communication with C&C infrastructure prior to encrypting files, however, Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic,” Proofpoint said.

Ransomware infections have been on the rise for some time now, and the last year has seen a massive increase in the volume of attacks from crypto ransomware. Researchers at Kaspersky Lab last wee released data that showed the number of crypto ransomware attacks increased more than 500 percent last year.

Webinar: TACKLING THE 113% FRAUD INCREASE IN CALL CENTERS