Hackers behind Locky and Dridex start spreading new ransomware

Bart ransomware locks files in password-protected zip files

Criminals behind the Dridex and Locky malware have launched new ransomware that zips up victims' files in a password-protected archive.

Hackers are using the RockLoader malware to download a new ransomware, called Bart, over HTTPS, according to a blog post from IT security firm Proofpoint. Its researchers said that Bart has a payment screen like Locky but encrypts files without first connecting to a command and control (C&C) server.

The firm said that last Friday its researchers detected a large campaign with .zip attachments containing JavaScript code. If opened, these attachments download and install the intermediary loader RockLoader, which in turn downloads Bart.

It said that messages in this campaign had the subjects "Photos" with the attachment "photos.zip", "image.zip", "Photos.zip", "photo.zip", "Photo.zip", or "picture.zip." The zip files contained JavaScript file such as "PDF_123456789.js."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Bart then informs victims that their files are being encrypted by the ransomware and turned into two types of files, a method similar to many other types of ransomware. Specifically, it drops a recover.txt into many folders and replaces the desktop background with an image file giving information to the victim about how they can pay a ransom and get their files back.

The ransom note displays in multiple languages depending on the user's system language. It has translations available in Italian, French, German, and Spanish. The malware also uses the system's language to avoid infecting systems of Russian, Ukrainian, and Belorussian users.

"This first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, we do not expect Bart to remain this localised," the researchers said.

The ransom note urges the user to visit a payment portal in order to pay three bitcoins (just under $2,000 at current exchange rates).

The ransomware does not appear to have any network communication mechanism with a command and control server. Instead, the necessary information about infected machine is likely passed to the payment server in the URL "id" parameter.

According to Proofpoint, the malware is using the open source WProtect for code virtualisation.

Advertisement - Article continues below

The researchers warned that Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic.

"Organisations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables," the researchers said.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020