Bart Ransomware Creates Password-Protected ZIP Files in Place of Common Encryption

As expected, new ransomware has evolved to introduce creative methods to spread its payload onto as many computers as possible. In that, the Bart ransomware's authors have conjured up a way to create individual password-protected ZIP archives instead of performing the common method of encrypting files on an infected computer.

Bart ransomware is among the latest malware that uses aggressive techniques that hold an infected PC for a ransom fee by locking down its operation through manipulating files. The significant difference in Bart ransomware versus the most recent encryption type threats its primary function of locking files in password-protected ZIP archives instead of encrypting files. Additionally, Bart ransomware uses the distribution methods similar to that of Locky ransomware where it uses spam email to deliver a ZIP archive that loads a malicious JS file once it is unzipped.

The JS file included within Bart ransomware's ZIP archive is one that downloads RockLoader, a malicious application that downloads the Bart ransomware. Similar to Locky, Bart ransomware is directly downloaded and initialized from the JS file. Another aspect that sets Bart ransomware apart from its suspected Locky predecessor, is its ability to work offline where it does not require a command and control server to negotiate an encryption process because it does not thrive on encryption of files to put up a ransom on computer users.

You can think of Bart ransomware as a rogue jail guard, one that locks up files inside a vault and holds the key to unlocking that vault for a substantial ransom fee. The vault in such a case is the ZIP archive that Bart masks files in a particular type, one out of 159 different file types. Bart uses up to as many as 159 different file types; some may be renamed to image.jpg.bart.zip where the original file was named image.jpeg.

The round off the differences of Bart ransomware, it asks that victimized computer users pay a ransom fee of 3 Bitcoin, which equates to about $1,800. We have seen many cases of ransomware break out of its conservative ways and start charging substantial ransom fees that end up costing computer users well over $1,000. The interesting part of the matter is that some computer users will pay the fee, even with it being $1,800 because they want to restore the functionality of their computer and not risk losing all of their data and irreplaceable files. Those who pay the fee may not have a viable backup of their system, which leaves them at the mercy of the ransomware and its authors.

For the time being, Bart ransomware doesn't have a decryptor or a method of freeing files locked in ZIP archives on an infected computer. However, it has yet to be seen if a universal password is available to unlock ZIP archives to free files, due to Bart ransomware adding a password to protect each individually Zipped file.

The extensive Bart ransomware notification that is displayed after infection is one that attempts to give victimized computer users several options of purchasing Bitcoins, which is a rarity among ransomware. We believe that as ransomware evolves the authors will start to offer detailed instructions and alternative methods for purchase of Bitcoins to make the process of paying ransom fees faster and easier. It's a win-win on the part of ransomware authors.