A new ransomware, called Bart Ransomware, was discovered by ProofPoint and is being distributed by the same actors as those behind the Locky Ransomware and Dridex. This ransomware does not communicate with a Command & Control server, so it can encrypt a file even if its not connected to a computer.
Though the many similarities between Bart Ransomware and Locky, how Bart takes a file is hostage is very different. While most ransomware use a cryptography algorithm such as AES to actually encrypt a victim's files, Bart will instead add each file to its own password-protected ZIP file archive.
Once it has finished, Bart will display a ransom note and demand 3 bitcoins in order to get the password for the victim's zipped files. Unfortunately, at this time there is no way to decrypt these files for free. For those who wish to receive support, there is a support topic here: Bart Ransomware Help & Support Topic.
Bart Ransomware is currently being distributed through SPAM emails that contain the subject Photos or Photo and contain ZIP attachments named Photos.zip, Photo.zip, image.zip, or picture.zip.
When the Bart Ransomware is executed it will first check the configured language on the infected computer. If the detected language is Russian, Belorussian, or Ukrainian, the ransomware will terminate and not encrypt any of the victim's files.
On the other hand, for any other language it will get a list of drive letters on the computer and start scanning them for files with certain file extensions. When scanning for files, it will not zip any file if it's path name contains one of the following strings.
tmp, winnt, Application Data, AppData, PerfLogs, Program Files (x86), Program Files, ProgramData, temp, Recovery, $Recycle.Bin, System Volume Information, Boot, Windows
When it finds a matching file that is not located in one of the above blacklisted folders, it will archive them into a password protected zip file and append the .bart.zip extension to the new file. For example, a file called test.jpg would be zipped and renamed test.jpg.bart.zip. The files targeted by the Bart Ransomware are:
.n64, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .sh, .class, .jar, .java, .rb, .asp, .cs, .brd, .sch, .dch, .dip, .vbs, .vb, .js, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .db, .mdb, .sq, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11(Security copy), .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mm, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wb2, .123, .wks, .wk1, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .602, .dotm, .dotx, .docm, .docx, .DOT, .3dm, .max, .3ds, .xm, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .p12, .csr, .crt, .key
When it has finished zipping the data files it will create two ransom notes on the Windows desktop called recover.bmp and recover.txt. The recover.bmp file will be used as the Windows desktop wallpaper as shown below.
The ransom note called recover.txt will automatically be opened in notepad and displayed.
The text ransom note is localized in English, Spanish, Italian, French, and German and will default to English if the computer is not using one of the supported localizations. These ransom notes will state that the victim's files are encrypted as shown below.
!!! IMPORTANT INFORMATION !!! All your files are encrypted. !!! INFORMAZIONI IMPORTANTI !!! Tutti i file sono criptati. !!! INFORMATIONS IMPORTANTES !!! Tous vos fichiers sont crypt?s. !!! WICHTIGE INFORMATIONEN !!! Alle Ihre Dateien werden verschl?sselt.
These ransom notes will also contain your assigned ID and the TOR payment site that you need to use for payment instructions. This payment site is described in the next section.
It is important to note that this ransomware does not perform any network communication and thus does not need a Internet connection to infect a computer.
The Bart ransom notes contains a unique ID that is associated with a victim's computer as well as links to a TOR payment site called Decryptor Bart Page. This site contains information on how to purchase bitcoins, the ransom amount, and a bitcoin address that a victim needs to send the bitcoins.
Once a payment is made to the specified address, it will be detected and displayed in the web site. After a certain amount of bitcoin confirmations, the web site will automatically offer the decryptor for download.