The cybercrooks behind ransomware Dridex and Locky have started distributing a new file-scrambling software nasty dubbed Bart.

Bart has a payment screen just like Locky's, and encrypts documents without first connecting to a remote command-and-control server to receive its orders. Bart may therefore be able to encipher Windows PC filesystems behind corporate firewalls that would otherwise block such malicious traffic.

Miscreants are pushing the Bart ransomware onto PCs via RockLoader. This precursor malware is distributed as script code in email attachments, says security firm Proofpoint.

"Proofpoint researchers detected a large campaign with .zip attachments containing JavaScript code," the biz explained.

"If opened, these attachments download and install the intermediary loader RockLoader (previously discovered by Proofpoint and used with Locky), which in turn downloads the new ransomware called 'Bart'."

Each message in this campaign has the subject "Photos" with an attachment called photos.zip, which contains malicious JavaScript code that, when opened, fetches the Bart executable via HTTPS and installs it.

Bart does not run if it determines the user's system language is Russian, Ukrainian, or Belorussian. Prior to creating documents explaining how to pay the ransom and unscramble the encrypted files, the malware determines the user's system language. It has translations of these instructions available in Italian, French, German, and Spanish.

The ransom note instructs victims to pay three Bitcoins (just under US$2,000 at current exchange rates).

"This first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, it is unlikely that Bart will remain this localized," according to Proofpoint.

More details of the threat – including screenshots – can be found in a blog post here. ®