Bart Ransomware Encrypts Before Connecting to Remote C&C Server

“Proactive measures are the best method to lowering risk against ransomware threats like Bart.  Download our free white paper ‘Ransomware Epidemic‘.”

Bart is a new ransomware that is being spread by mature Russian eCrime operations.  Remember Dridex and Locky, which many of you have seen on a daily basis attempting to compromise your network?  The same actors are behind Bart.  TTPs include an email with a ZIP attachment containing a file that looks like a PDF but is actually a JavaScript (.js) file. When users click-through it ends up executing the script within wscript to then install Bart encrypting targeted files with a “” extension.  Bart creates “recover.txt” in multiple directories and replaces the Desktop background with “recover.bmp” to inform the users that their files have been encrypted and where to pay the ransom of 3 bitcoins (about $2,000 USD).  OSINT reveals Bart largely targeting the US but multiple translations exist revealing a global effort by actors behind Bart over time.

Once your files are encrypted you’ll likely need backups to restore them.  Do you trust your backups?  When was the last time you audited them as if all your data depended upon that backup?  If ransomware hits a host in your environment will it then spread across the entire network or do you have restrictions on zones and accounts to minimize the spread of such network aware threats?  What are you doing to keep users informed of emergent ZIP based email attachment threats like Bart?  Get our free whitepaper on the Ransomware Epidemic to prepare your IT and Security staff for proactive measures against ransomware threats like Bart.