Ransomware Similar, but Different
Tuesday, June 28, 2016 @ 01:06 PM gHale
Bart is a new ransomware affiliated with the Necurs botnet.
Based on the extension it adds to locked files, the ransomware is not as sophisticated as the Locky ransomware but bears some resemblance to its older brother.
Because of the Locky similarities and because Bart goes over via the same network from where most of the Locky spam originates, researchers think there is strong evidence to suggest the two ransomwares ended up developed by same group.
Looking at the technical side of the malware, researchers from security providers like PhishMe and Proofpoint tweeted their findings.
Bart resembles Locky because it’s distributed in the same way, using email spam that delivers a ZIP archive, which, when unzipped, contains a malicious JS file.
Running the JS file downloads RockLoader, an intermediary piece of malware, which then downloads the Bart ransomware. Locky also uses RockLoader in its distribution.
This is where Bart shows its differences. While Locky would connect to its C&C server to negotiate the encryption process and save a copy of the private key on the server, Bart works without a server-side component.
“While many encryption ransomware varieties report the infection of a new computer back to a command and control host in order to obtain a go-ahead for encryption, Bart performs no such report and has no evident capability to contact any supporting resources,” said PhishMe researchers in a blog post. “Instead, the ransomware is believed to rely on the distinct victim identifier to indicate to the threat actor what decryption key should be used to create the decryption application purported to be available to those victims who pay the ransom.”
All of Bart’s encryption process ends up localized, in case the ransomware needs to run without an Internet connection.
“Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic,” Proofpoint researchers said in a blog post. “Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables.”
As for the encryption, things are different. Instead of encrypting files, Bart just places them in its each individual ZIP archive file and then secures the archive with a password.
A file like image.jpeg would be renamed to image.jpeg.bart.zip. Bart targets 159 different file types.
When the file locking process stops, Bart drops a ransom note, as a text file in each folder it locked files, and changes the user’s desktop wallpaper.
Bart asks for 3 Bitcoin ($1,800) to unlock the victim’s files, which is an extremely large sum. Each user receives an ID, and they have to go on a Dark Web portal to pay the ransom and receive a decrypter. This payment portal is also a carbon copy of the Locky payment portal.