ThreatSTOP Blog

From the Creators of Locky Comes the New Bart Ransomware

Written by threatstopoa | June 30, 2016

A new ransomware variant that debuted this month, rumored to be made by the creators of Locky, has quickly become a variant to watch out for. Bart ransomware shares a number of characteristics with Locky which makes the "look and feel" of the ransomware similar, yet it is distinct because of two special traits. The first is its way of isolating the victim from his/her files - instead of using a strong asymetric encryption, like most ransomware variants today, Bart moves the user's files into individual zip archives and applies password protection to each of them. Also, Bart does not seem to use Control and Command servers, but rather relies on a distinct ID for each victim which will be relayed to the criminals during payment.

One of the prominent ties to Locky is the distribution method used to distribute Bart - Rockloader, Locky's custom downloader. This infection chain has been spotted targeting victims via phishing email campaigns. Bart is spreading quickly, mostly targeting the United States, Germany, France and the United Kingdom. The ransomware does not run if it determines the user's system language is Russian, Ukrainian, or Belorussian. One of the most disturbing facts about the new ransomware is the steep price it is asking for - 3 bitcoins. 

ThreatSTOP customers are protected from Bart ransomware, as well as Rockloader downloader and Locky ransomware.