PhishMe Inc. announced that it has uncovered additional data concerning a recently discovered new ransomware tool in the encryption ransomware market. As of June 24th, the number of infections for Bart’s first run is already significant with targeting all around the globe. In just the first few hours of the campaign, 5,622 victims have been compromised. If only 10 percent of the users pay the ransom, this could net the attackers 1,686 Bitcoins, or just over $1 million USD. These waves also are heavily targeting the United States, Germany, France and the UK.
A number of elements in the Bart encryption ransomware make this a noteworthy development in the phishing threat landscape. Delivered by RockLoader, the Bart encryption ransomware has leveraged some distinctive mechanisms for delivery during its early deployments. It also shares some interface elements that evoke the same look and feel used by the Locky encryption ransomware ransom payment interface.
Aaron Higbee, CTO and Co-Founder at PhishMe commented: “The development and deployment of yet another encryption ransomware stands as a testament to the continued success of ransomware as a criminal tool. Phishers are constantly evolving their methods, making it an arms race between the criminal and an organisation’s IT security defenses. However, by empowering and harnessing the skill and judgment of its people, an organisation can bolster its defenses against malware threats delivered via phishing email. When coupled with effective incident response platforms and robust, timely threat intelligence, even the newest and most clever malware threats can be overcome.”
While many encryption Ransomware varieties report the infection of a new computer back to a command and control host in order to obtain a go-ahead for encryption, Bart performs no such report and has no evident capability to contact any supporting resources. Instead, Bart is believed to rely on the distinct victim identifier to tell the criminal phisher what decryption key should be used to create the decryption application which the ransomware claims to make available to those victims who pay the ransom.
In another notable feature of Bart, targeted files are placed in individual Zip archives and password protection is applied to the archives. Using a Zip archive isn’t revolutionary, but the effect remains the same while also avoiding alerting of cloud based storage platforms that have been tuned to recognize legacy ransomware tactics. This represents a change in the way Ransomware operates. Most encryption ransomware has traditionally relied upon a sophisticated asymmetric, public-private key pair or the creation of a distinct symmetric encryption key for encryption. This key is generally passed to the threat actor’s infrastructure at the time of encryption for later use.
Additionally, PhishMe also offers a new threat alert subscription service for those interested in experiencing increased visibility of critical and developing phishing and malware threats. Readers can sign up to receive PhishMe Threat Alerts here.