Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Bart - a new Ransomware - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Bart - a new Ransomware

Phishme is reporting the discovery of a new ransomware which its creators have named Bart. Bart shares several commonalities with the Locky ransomware.  Bart is delivered by the same downloader, RockLoader.  The payment site bares a striking resemblance to the Locky page. 

But Bart also deviates from Locky in other ways.  The ransom is much higher, 3 Bitcoins, approximately $2000.  But probably the most striking difference is that unlike most ransomware variants Bart does not require a command and control to facilitate the encryption and in fact looks like it has no command and control capability.  Bart does not utilize the complex public-private key or symmetric encryption methods that have become common in ransomware.  Instead it stores the encrypted files in password protected zip files, and utilizes a victim id and a tor-based payment website to  facilitate decryption.

Unfortunately, no decrpyter is yet available.

More information on Bart can be found at the Phishme website.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Rick

291 Posts
ISC Handler
Hi, I have a client with the Bart ransom, you said PHISHME created a decrypter? can you point me in the right direction?
JacobBOAZ

3 Posts
Sorry, I thought I linked it in the diary. It is linked in the new version.

The URL to the python decrypter is: phishme.com/wp-content/uploads/…
Rick

291 Posts
ISC Handler
Excuse me for my ignorance, but do I just install python and run the script? I see in the article where they are pulling the "key" but isn't that unique to each encryption?
JacobBOAZ

3 Posts
I could be wrong but my reading of the article indicates that the decoder is only for the .exe files that are stored on the Rockloader payload site.
psophos

6 Posts
The decryptor mentioned on Phishme's site is for the executables, not the encrypted files. The Rockloader payloads are encrypted. That javascript allows the executables to be decrypted and thus analyzed.

Unfortunately, there is no decryptor for Bart encrypted files as of yet.
Lawrence Abrams

2 Posts
Ok, that's what I was thinking. This thing deleted the shadow copies? Any ideas? Thanks
JacobBOAZ

3 Posts
Sorry, I misread the article. The decrypter is for the binaries found on the distribution site, not the Bart encrypted files. There is not yet a decrypter available for the encrypted files.

I have updated the diary to be accurate.
Rick

291 Posts
ISC Handler
Quoting JacobBOAZ:Ok, that's what I was thinking. This thing deleted the shadow copies? Any ideas? Thanks


Nuke the infested systems, then restore them from your backup.
Afterwards secure them properly:
1. no administrative rights for users (no, UAC is a bad joke);
2. no execute permission for users in directories where they can (over)write files (see http://home.arcor.de/skanthak/SAFER.html or http://www.mechbgon.com/srp/index.html);
3. remove all unsupported and outdated software, and patch the remaining software to their current and maintained version.
Anonymous
Ransomware Attacks: How Our Technologies Could Be Affected & What We Can Do
https://www.evolving-science.com/information-communication/ransomware-attacks-how-our-technologies-could-be-affected-what-we-can-do-00621

Found something interesting.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!