Another ransomware tool has been added to the ever-growing encryption ransomware market with the introduction of the Bart encryption ransomware. Named by its creators in its ransom payment interface as well as in the extension given to its encrypted files, the Bart encryption ransomware has leveraged some distinctive mechanisms for delivery during its early deployments. Furthermore, this ransomware shares some interface elements that evoke the same look and feel used by the Locky encryption ransomware ransom payment interface. In many ways the Bart encryption ransomware is a very mainstream encryption ransomware in both the files it targets for encryption (a full list of these file extensions is included at the end of this post) as well as its demand for a sizable Bitcoin ransom. However, a number of elements related to this encryption ransomware are noteworthy when viewed through the lens of recent developments in the phishing threat landscape.

Two of the most notable facts about the Bart encryption ransomware itself are its lack of command and control infrastructure and particular means of denying victims access to their files. While many encryption ransomware varieties report the infection of a new computer back to a command and control host in order to obtain a go-ahead for encryption, Bart performs no such report and has no evident capability to contact any supporting resources. Instead, the ransomware is believed to rely on the distinct victim identifier to indicate to the threat actor what decryption key should be used to create the decryption application purported to be available to those victims who pay the ransom. Furthermore, most encryption ransomware has traditionally relied upon a sophisticated asymmetric, public-private key pair or the creation of a distinct symmetric encryption key for encryption. This key is generally passed to the threat actor’s infrastructure at the time of encryption for later use. However, Bart simply places its targeted files in individual zip archives and applies password protection to these archives. A list of archives containing files impacted by Bart and the distinctive “recovery” text file are listed in Figure 1 while the password prompt for accessing any of these files is shown in Figure 2.

The “recover.txt” and “recover.bmp” ransom notes are left in every directory where files have been encrypted in this way by Bart. These ransom note files contain a unique identifier passed as a parameter to the Tor-hosted payment sites when the victim visits any of the links within the note. Figure 3 shows the interface with which victims are presented upon visiting any of these payment locations via these links. When compared to the ransom payment interface in Figure 4 which is presented to victims of the Locky encryption ransomware, the similarity is striking. In fact, the largest difference is the significantly larger 3 BTC demand made in the Bart page which stands in stark contrast to the 0.5 BTC demand made by the Locky threat actors.

However, these distinctive, simple, and effective attributes are not the only notable characteristics of the Bart encryption ransomware. Its delivery by phishing emails analyzed for Intelligence Threat ID 6291 indicated that threat actors deploying Bart have access to top-tier delivery mechanisms. This set of phishing emails delivered a JavaScript application designed to download and execute a RockLoader sample. A few months ago, PhishMe wrote an assessment of the RockLoader malware downloader, describing a new malware used to deliver several different types of malware. At the time, it was responsible for the delivery of the Dridex trojan, the Locky encryption ransomware as well as the Pony and Kegotip information stealers. Dridex has been one of the most successful financial crimes and botnet trojans over the past two years, and since February 2016 Locky has been the foremost encryption ransomware responsible for massive increases in the volume of emails delivering malware and accounting for approximately three-quarters of the ransomware samples analyzed in March 2016. However, deliveries of both Dridex and Locky fell to essentially zero between May 31 and June 21, 2016. Brief hints that there would be a resurgence of this ransomware were seen on June 15 and June 16, 2016 but it was not until June 21, 2016 that Locky surged once more.

This resurgence came with a number of simple anti-analysis techniques that, while not sophisticated, render Locky payloads more difficult to detect. This is relevant in discussing the Bart ransomware delivered by RockLoader on June 24, 2016 since it also leveraged a simple XOR to hide the executable content as it was downloaded. Once the download of the XOR-ciphered blob sample was complete, the RockLoader application performed the decode and runs the newly un-mangled executable as a Windows application.

Investigation into the RockLoader payload site revealed that in addition to the first Bart payload delivered by this malware, ultimately eleven payloads were made available to RockLoader for delivery to victims. These files are shown in Figure 5.

However, these files cannot be reliably executed as they do not contain the content necessary to comprise a Windows executable. Viewing the raw content of these files instead reveals what appears to be a blob of useless data with the first, “magic” MZ bytes missing.

One approach to reversing the algorithm used to encipher these files would be to look at the binary to see how it’s actually encoded. This can take some time to determine. However, since the attackers were making frequent alterations to each payload, the better approach is to test for XOR encoding. By looking at the end of the file where there are typically a bunch of NOP’s, we can see that the repetition of the 16-byte value “aWL~jH9zJl$5Yfz7”.

In order to render these values into the desired NOP’s, it is necessary to XOR each value with itself. Since the value repeats every 16 bytes, there is some surety that this will be our XOR key. However, this technique can be derailed when file size throws off the position used for iterative decoding. In order to avoid this, we will have to read backwards (or swap) the values, swap the key, and decode the data with the inverse of the XOR key. In doing so, we’re presented with something that looks much more like an .exe.

PhishMe researchers were able to create a Python script that can be reliably used to decode these executables. A copy is available for download here.

As of June 24th, the number of infections for Bart’s first run is pretty high, with targeting all around the globe. In just the first few hours of the campaign, 5622 victims have been compromised. If only 10% of the users pay the ransom, this could net the attackers 1686 Bitcoins, or just over 1 million USD. These waves are also heavily targeting the United States, Germany, France, and the UK.

The development and deployment of yet another encryption ransomware stands as a testament to the continued success of ransomware as a criminal tool. Furthermore, the threat actor’s reliance on phishing email as the means for delivering this ransomware drives home its effectiveness for attackers. However, by harnessing the skill and judgment of empowered users, an organization can bolster its defenses against malware threats delivered via phishing email. When coupled with effective incident response platforms and robust, timely threat intelligence, even the newest and most clever malware threats can be overcome.

Appendix:

Analysis of Bart ransomware samples have shown that this ransomware will encrypt files with the following extensions:

.n64, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .sh, .class, .jar, .java, .rb, .asp, .cs, .brd, .sch, .dch, .dip, .vbs, .vb, .js, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .db, .mdb, .sq, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mm, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wb2, .123, .wks, .wk1, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .602, .dotm, .dotx, .docm, .docx, .DOT, .3dm, .max, .3ds, .xm, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .p12, .csr, .crt, .key

It is worth noting that the encryption of .n64 ROM files is very interesting, as the only other ransomware which does this is Locky.