Troublemaking Bart ransomware follows in Dridex and Locky’s footsteps

June 28, 2016

Don't have a cow, man, but a newly discovered ransomware named Bart doesn't need to connect with a command-and-control server in order to encrypt victims' files. Consequently, even the strongest corporate firewalls that block malware from sending outgoing traffic may be unable to stop Bart from rendering a PC ineffective.

In a recent blog post, Proofpoint identifies Bart as the latest creation from the adversaries behind Dridex and Locky, an interesting observation in light of reports that a major botnet campaign featuring these two malware programs was discontinued this month.

Although its coding is quite different, Bart shares similarities to its forebears, including its email-based distribution method, ransom message and payment portal, use of the RockLoader dropper to download over HTTPS. In lieu of connecting with a C&C server, the malware instead likely passes data about an infected machine to the payment server in the URL “id” parameter, Proofpoint continues.

Proofpoint cited a June campaign in which recipients received spam messages with malicious .zip attachments containing JavaScript code. The campaign appears to primarily target U.S. users, although the malware can communicate in five languages – English, French, German, Italian and Spanish. It will not activate if a user's system language is Russian, Ukrainian or Belorussian.

prestitial ad