There is a new kind of ransomware floating around on the internet and it’s nasty.
The ransomware detected earlier this year dubbed ‘Bart’ has taken a whole new approach to complicating your life. With previous builds of ransomware, one of the first actions it took was to look for what’s called a key server. This is where it would get the encryption keys to encrypt the files on the affected machine. This means that you had two chances to stop the ransomware from encrypting the files. The first is to stop the infection of the malware in the first place and the second is to stop the malware from communicating with the key server so it can’t do its job. Finding and blocking attempted communication with the key server gave engineers a chance to find and clean the infected machine before it could do any damage. This new ransomware strategy cuts your detection and mitigation chances in half, because it operates without a key server at all!
Bart locally generates its encrypted keys and encrypts your files in a password protected ZIP file. It then uploads the key directly to the payment server where it chargers the user 3 bitcoins (Almost $2000) for the decryption key. Bart’s primary delivery mechanism to date has been through wide scale spam campaigns. The spam contains an intermediary loader called RockLoader to then install Bart on the target.
With the increasing sophistication of malware, it’s more important than ever to incorporate Zero day advanced threat protection into your security strategy. Securolytics ATP is purpose built to detect and stop these types of threats through email and web vectors while keeping you informed. Simply search through your logs for the keyword ‘ransomware’ to see any attempts to contact or communicate with any domain associated with known ransomware.