Hackers behind Locky and Dridex start spreading new ransomware
Bart ransomware locks files in password-protected zip files
Criminals behind the Dridex and Locky malware have launched new ransomware that zips up victims' files in a password-protected archive.
Hackers are using the RockLoader malware to download a new ransomware, called Bart, over HTTPS, according to a blog post from IT security firm Proofpoint. Its researchers said that Bart has a payment screen like Locky but encrypts files without first connecting to a command and control (C&C) server.
The firm said that last Friday its researchers detected a large campaign with .zip attachments containing JavaScript code. If opened, these attachments download and install the intermediary loader RockLoader, which in turn downloads Bart.
It said that messages in this campaign had the subjects "Photos" with the attachment "photos.zip", "image.zip", "Photos.zip", "photo.zip", "Photo.zip", or "picture.zip." The zip files contained JavaScript file such as "PDF_123456789.js."
Bart then informs victims that their files are being encrypted by the ransomware and turned into two types of files, a method similar to many other types of ransomware. Specifically, it drops a recover.txt into many folders and replaces the desktop background with an image file giving information to the victim about how they can pay a ransom and get their files back.
The ransom note displays in multiple languages depending on the user's system language. It has translations available in Italian, French, German, and Spanish. The malware also uses the system's language to avoid infecting systems of Russian, Ukrainian, and Belorussian users.
"This first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, we do not expect Bart to remain this localised," the researchers said.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
The ransom note urges the user to visit a payment portal in order to pay three bitcoins (just under $2,000 at current exchange rates).
The ransomware does not appear to have any network communication mechanism with a command and control server. Instead, the necessary information about infected machine is likely passed to the payment server in the URL "id" parameter.
According to Proofpoint, the malware is using the open source WProtect for code virtualisation.
The researchers warned that Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic.
"Organisations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables," the researchers said.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
Jitterbit eyes global growth under new CRO Chris StoddardNews The former New Relic executive will lead the vendor’s worldwide go-to-market strategy and revenue growth plans
-
This one cyber crime group accounted for nearly a fifth of all ransomware attacks in JuneNews The Gentlemen, a ransomware a service operator, now accounts for 17% of published attacks
-
This one cyber crime group accounted for nearly a fifth of all ransomware attacks in JuneNews The Gentlemen, a ransomware a service operator, now accounts for 17% of published attacks
-
Working with the enemy: Ransomware negotiator-turned cyber criminal jailed after working with hackers to extort clientsNews Angelo Martino was supposed to be negotiating on behalf of victims, but was secretly working for ransomware operators
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti