October 25, 2016
Bart ransomware has been discovered in the wild by the malware researcher Jakub Kroustek from Avast. The new string of malware encrypts files with the .perl extension. Seems identical to Locky ransomware in its note and payment instructions page. To see how to remove the virus and how you can try to restore your files, read the whole article.
Bart Ransomware – Infection
Bart ransomware could infect your computer machine using various ways. Spam emails could be spreading the payload file. Such spam letters are written to make you think that they are urgent and their attachment must be opened. The attached file will look as a normal document, in most cases, but in actuality contains malicious code. If you open the file from the email’s attachment, you will infect your computer.
Other infection methods for the Bart ransomware could be initiated. FThe malware makers could be distributing the payload file through social media and file-sharing sites. That file could be placed in such platforms in an attempt to infect more computer systems. When surfing the Web, try to be more careful. Do not open files from suspicious links or e-mails. Always scan files with security software and check their signatures and size before opening. You should read the ransomware preventing tips in the corresponding forum thread.
Bart Ransomware – Details
The malware researcher Jakub Kroustek has found a malware sample of this new variant of Bart ransomware. As previous variants, it uses the design of the Locky ransomware virus for its payment page and ransom note, but it is not a full copycat as it uses its own name and extension.
After Bart ransomware executes its payload, it probably makes entries in the Windows Registry for achieving resilience. Those registry entries are designed in a way to make the cryptovirus auto-launch with every boot of the Windows operating system. Next, your files will get encrypted, and then the ransom message will appear as your new desktop background. The ransom message is stored in the files named recover.bmp and recover.txt – the same as the first Bart ransomware variant.
You can preview the ransom message from the below picture:
The text reads the following:
!!! IMPORTANT INFORMATION !!!
All your files are encrypted.
Decrypting of your files is only possible with the private key, which is on our secret server.
To receive your private key follow one of the links:
1. http://uk74sqtx2ynr2nzb.onion.gq/?id=[Redacted] 2. http://uk74sqtx2ynr2nzb.onion.nu/?id=[Redacted] 3. http://uk74sqtx2ynr2nzb.onion.cab /?id=[Redacted] 4. http://uk74sqtx2ynr2nzb.onion.to/?id=[Redacted]
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: uk74sqtx2ynr2nzb.onion/?id=[Redacted] 4. Follow the instructions on the site.
!!! Your personal identification ID: [Redacted] !!!
Bart uses the same layout with instructions for paying the ransom as its past variants, which is a copy of the one that Locky uses:
The Bart virus demands payment of 1 Bitcoin, which is equivalent to around 660 US dollars since the writing of this article. No deadline is given to victims for payment, no threats are made, and a promise for a working decryptor is put on the pay site if you decide to buy it. However, you shouldn’t be thinking of supporting extortionists, as they are criminals and the money can be used in the creation of new ransomware projects. No one can guarantee that you will restore your files if you pay.
Currently, a full list with file types that this ransomware encrypts does not exist, and the article will be updated with such if information comes out. Despite that, files with the following extensions will surely get encrypted:
→.png, .doc, docx, .jpeg, .bmp .jpg, .mp3 .pdf, .psd, .rtf, .html, .xls, .xlsx, .ppt, .pptx
All encrypted files will have the .perl extension appended to them, right after the original file extension. It is unknown what encryption algorithm is being used by the virus, and the ransom note doesn’t state any.
The Bart ransomware is very likely to erase the Shadow Volume Copies of the Windows operating system with the following command:
→vssadmin.exe delete shadows /all /Quiet
Keep on reading to check what methods you can try to decrypt your files and bring them back to normal.
Remove Bart Ransomware and Restore .perl Files
If your computer got infected with the Locky ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Bart Ransomware.
Manually delete Bart Ransomware from your computer
Note! Substantial notification about the Bart Ransomware threat: Manual removal of Bart Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.