A new ransomware, called Bart Ransomware, was discovered by ProofPoint and is being distributed by the same actors as those behind the Locky Ransomware and Dridex.  This ransomware does not communicate with a Command & Control server, so it can encrypt a file even if its not connected to a computer.

Though the many similarities between Bart Ransomware and Locky, how Bart takes a file is hostage is very different. While most ransomware use a cryptography algorithm such as AES to actually encrypt a victim's files, Bart will instead add each file to its own password-protected ZIP file archive.

Once it has finished, Bart will display a ransom note and demand 3 bitcoins in order to get the password for the victim's zipped files. Unfortunately, at this time there is no way to decrypt these files for free. For those who wish to receive support, there is a support topic here: t Topic.

Bart Ransomware is Distributed via SPAM Emails

Bart Ransomware is currently being distributed through SPAM emails that contain the subject Photos or Photo and contain ZIP attachments named Photos.zip, Photo.zip, image.zip, or picture.zip.

SPAM Email
SPAM Email

Inside these zip files are JS (JavaScript) files that have names like PDF_[10_digits].js, FILE-[10_digits].js, or doc-[10_digits].js. For example, the JS file could be named doc-470655521.js. These zip files are obfuscated to make it more difficult to understand what actions they are performing.

Obfuscated JavaScript File
Obfuscated JavaScript File

When a victim opens one of these attachments, the Windows Script Host, or wscript.exe, will execute the JavaScript contained in the file and download a malware executable to the %Temp% folder and execute it. This downloaded executable is a malware called RocketLoader, which will then download and execute the Bart ransomware.

How the Bart Ransomware takes your files Hostage

When the Bart Ransomware is executed it will first check the configured language on the infected computer. If the detected language is Russian, Belorussian, or Ukrainian, the ransomware will terminate and not encrypt any of the victim's files. 

On the other hand, for any other language it will get a list of drive letters on the computer and start scanning them for files with certain file extensions. When scanning for files, it will not zip any file if it's path name contains one of the following strings.

tmp, winnt, Application Data, AppData, PerfLogs, Program Files (x86), Program Files, ProgramData, temp, Recovery, $Recycle.Bin, System Volume Information, Boot, Windows

When it finds a matching file that is not located in one of the above blacklisted folders, it will archive them into a password protected zip file and append the .bart.zip extension to the new file. For example, a file called test.jpg would be zipped and renamed test.jpg.bart.zip.  The files targeted by the Bart Ransomware are:

.n64, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .sh, .class, .jar, .java, .rb, .asp, .cs, .brd, .sch, .dch, .dip, .vbs, .vb, .js, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .db, .mdb, .sq, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11(Security copy), .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mm, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wb2, .123, .wks, .wk1, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .602, .dotm, .dotx, .docm, .docx, .DOT, .3dm, .max, .3ds, .xm, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .p12, .csr, .crt, .key

When it has finished zipping the data files it will create two ransom notes on the Windows desktop called recover.bmp and recover.txt. The recover.bmp file will be used as the Windows desktop wallpaper as shown below.

Bart Desktop Wallpaper
Bart Desktop Wallpaper

The ransom note called recover.txt will automatically be opened in notepad and displayed.

Recover.txt Ransom Note
Recover.txt Ransom Note

The text ransom note is localized in English, Spanish, Italian, French, and German and will default to English if the computer is not using one of the supported localizations. These ransom notes will state that the victim's files are encrypted as shown below.

All your files are encrypted.

Tutti i file sono criptati.

Tous vos fichiers sont crypt?s.

Alle Ihre Dateien werden verschl?sselt.

These ransom notes will also contain your assigned ID and the TOR payment site that you need to use for payment instructions. This payment site is described in the next section.

It is important to note that this ransomware does not perform any network communication and thus does not need a Internet connection to infect a computer.

The Bart Decryptor Page TOR Payment Site

The Bart ransom notes contains a unique ID that is associated with a victim's computer as well as links to a TOR payment site called Decryptor Bart Page. This site contains information on how to purchase bitcoins, the ransom amount, and a bitcoin address that a victim needs to send the bitcoins.

Decryptor Bart Page
Decryptor Bart Page

Once a payment is made to the specified address, it will be detected and displayed in the web site. After a certain amount of bitcoin confirmations, the web site will automatically offer the decryptor for download.

Related Articles:

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware

Moscow's New Cable Car System Infected with Ransomware the Day After it Opens