27 JUN 2016
Security researchers are warning of a new ransomware family from the authors of Locky and Dridex, charging victims $2000 to get their files back.
The so-called “Bart” ransomware encrypts a target’s files before even connecting to its C&C server, according to Proofpoint.
It’s apparently available in multiple languages including English, Italian, French and German and is designed to avoid infecting Russian, Ukrainian, and Belorussian users, which may hint at its origins.
So far, it has largely targeted US users, although this is unlikely to last for long, according to Proofpoint.
Bart demands victims pay up to the tune of three Bitcoins, equivalent to around $2000, which is significantly higher than most similar malware around today.
Its payment portal is almost identical to that of the infamous Locky ransomware and, like Locky and Dridex, it downloads RockLoader first, which then in turn downloads the final payload.
There’s also a certain amount of code-sharing between Locky and Bart, Proofpoint claimed.
“It does not appear to have any network communication mechanism with a command and control server,” the firm continued, in a blog post. “Instead, the necessary information about infected machines is likely passed to the payment server in the URL ‘id’ parameter. The malware is using the open source WProtect for code virtualization.”
Proofpoint warned that because it doesn’t need to connect to a C&C server, Bart might “be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic.”
“Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables,” the security firm concluded.
The ransomware epidemic continues to grow and spread globally. Security vendor Trend Micro claimed last week that it has blocked 100 million such threats for its customers in the past six months alone, and Kaspersky Lab said the number of users exposed to crypto-ransomware jumped more than five-fold from 2014 to 2016.