Bart Ransomware
The Bart Ransomware is a ransomware Trojan that has been associated with the same people responsible for creating and distributing such threats as Locky and Dridex. The Bart Ransomware is referred by this name because of its references to the famous character from the The Simpsons animated series. The Bart Ransomware is being installed on victims' computers by using RockLoader to deliver the Bart Ransomware over HTTPS. The Bart Ransomware has a payment screen that is very similar to Locky but has the capacity to encrypt files without needing to connect to a Command and Control server.
Infected PC Users may Lose Precious Files
PC security analysts have noticed a large threat campaign on June 24. This series of threat attacks involved large quantities of email messages containing corrupted attachments in the form of ZIP files. These ZIP archives seemed to contain corrupted JavaScript content. When opened, the attachment would download and install RockLoader on the victim's computer immediately. This threat loader had already been observed in other ransomware attacks, Locky in particular. This threat downloads and installs the Bart Ransomware. The corrupted email messages associated with the Bart Ransomware threat campaign tend to make victims believe that the email contains 'photos,' 'images,' or similar content designed to look like an innocent email from a friend containing pictures. This effect is made especially effective when the email is sent from a computer belonging to one of the victim's email contacts, who may have become compromised previously.
During the attack, the Bart Ransomware alerts the victim of the attack by creating two different files, an image and a text file. These files are named 'recover' and are in TXT and BMP formats. The BMP image file is dropped on the victim's Desktop and is used to change the victim's Desktop wallpaper image. The Bart Ransomware detects the language of the affected computer, delivering ransom notes matching that language. Apparently, the Bart Ransomware has translated versions of its ransom note in Italian, German, French and Spanish (as well as English). When checking the victim's language, the Bart Ransomware will avoid infecting computers located in Russia, Ukraine or Bielorussia. This makes the Bart Ransomware attack quite localized and seemingly designed to target computer users in the United States while avoiding, for the most part, computer users in Russian-speaking countries.
The file extensions that the Bart Ransomware searches for on the infected computer include:
.123 | .3dm | .3ds | .3g2 | .3gp | .602 | .aes | .ARC | .asc | .asf | .asm | .asp | .avi | .bak | .bat | .bmp | .brd | .cgm | .cmd | .cpp | .crt | .csr | .CSV | .dbf | .dch | .dif | .dip | .djv | .djvu | .DOC | .docb | .docm | .docx | .DOT | .dotm | .dotx | .fla | .flv | .frm | .gif | .gpg | .hwp | .ibd | .jar | .java | .jpeg | .jpg | .key | .lay | .lay6 | .ldf | .m3u | .m4u | .max | .mdb | .mdf | .mid | .mkv | .mov | .mp3 | .mp4 | .mpeg | .mpg | .ms11 | .MYD | .MYI | .NEF | .odb | .odg | .odp | .ods | .odt | .otg | .otp | .ots | .ott | .p12 | .PAQ | .pas | .pdf | .pem | .php | .png | .pot | .potm | .potx | .ppam | .pps | .ppsm | .ppsx | .PPT | .pptm | .pptx | .psd | .rar | .raw | .RTF | .sch | .sldm | .sldx | .slk | .stc | .std | .sti | .stw | .svg | .swf | .sxc | .sxd | .sxi | .sxm | .sxw | .tar | .tbk | .tgz | .tif | .tiff | .txt | .uop | .uot | .vbs | .vdi | .vmdk | .vmx | .vob | .wav | .wb2 | .wk1 | .wks | .wma | .wmv | .xlc | .xlm | .XLS | .xlsb | .xlsm | .xlsx | .xlt | .xltm | .xltx | .xlw | .zip.
The Bart Ransomware encrypts all files that have these extensions. The Bart Ransomware demands payment of three BitCoin, approximately $2000 USD, through a payment website very similar to the one used by the Locky Ransomware.
