Don’t have a cow, man, but a newly discovered ransomware named Bart doesn’t need to connect with a command-and-control server in order to encrypt victims’ files. Consequently, even the strongest corporate firewalls that block malware from sending outgoing traffic may be unable to stop Bart from rendering a PC ineffective.
In a recent blog post, Proofpoint identifies Bart as the latest creation from the adversaries behind Dridex and Locky, an interesting observation in light of reports that a major botnet campaign featuring these two malware programs was discontinued this month.
Although its coding is quite different, Bart shares similarities to its forebears, including its email-based distribution method, ransom message and payment portal, use of the RockLoader dropper to download over HTTPS. In lieu of connecting with a C&C server, the malware instead likely passes data about an infected machine to the payment server in the URL “id” parameter, Proofpoint continues.