Skip to main content

Security Alert; Bart Ransomware Bypasses Corporate Firewalls

A new ransomware variant has emerged that’s similar to widespread threats such as Dridex 220 and Locky Affid=3, but uses a security-evading technique that may allow it to attack organisations protected from other malware, according to computer security researchers.
Ransomware has spread quickly in the last few months, as a number of payouts have attracted cyber-criminals to the technique.



No external connection needed

HSBCThe new variant, called Bart, doesn’t need to connect to an outside server before maliciously encrypting a user’s files, making it harder to block, according to Proofpoint.
“Because Bart does not require communication with (command and control) infrastructure prior to encrypting files… Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic,” the firm’s researchers said in an advisory.

The malicious file arrives in the form of a zipped JavaScript attachment, so organisations need to ensure that zipped executables are blocked by their email gateway, Proofpoint said.

Bart, first discovered being distributed by a large spam campaign on Friday, arrives as an email with the subject line “Photos” and an attachment called “photos.zip”, the firm said. The zip archive contains a JavaScript file called PDF_123456789.js, but by default the .js extension doesn’t display on Windows, making the file appear at first glance to be a PDF document.

Russians, Ukrainians and Belorussians in no danger


The program, once launched, checks for the system language and doesn’t infect computers using the Russian, Ukrainian or Belorussian languages, researchers found.
If the Italian, French, German, Spanish or English languages are detected, it uses files translated into those languages.ransomware
“This first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, we do not expect Bart to remain this localised,” the researchers wrote.

Once a system is encrypted, users are asked to pay 3 bitcoins, or about £1,500, to unlock the files. Instead of communicating with a command server, the malware appears to link to the payment server using the URL “id” parameter, Proofpoint said.

Development

Bart appears to have been developed by the attackers behind ransomware variants called Dridex 220 and Locky Affid=3, according to the firm, which said the method of distribution, the ransom message style and the payent portal style were all similar to the earlier programs.
The server hosting Bart’s malicious payload was also found hosting Dridex and Locky Affid=3, and there is a certain amount of code sharing between Locky and Bart, according to Proofpoint.

Ransomware has increasingly shifted to using JavaScript as users have grown increasingly wary of opening Word documents that may contain malicious macros, security researchers have said.
Earlier this month Sophos found a ransomware variant called RAA that carried out all its encryption activities using JavaScript, rather than downloading malicious code from a remote server, streamlining the infection process and bypassing security controls.

Comments

Post a Comment

Popular posts from this blog

BT And Nokia Strike 5G Research Deal

BT and Nokia have signed a research collaboration agreement together to work on next generation 5G technologies. Both companies say they went to work on finding potential customer use cases for emerging 5G networks, and will collaborate on proof of concept trials for 5G. “Nokia is delighted to be working with BT in laying the foundations for 5G adoption in the coming years, and in helping define how this technology will enable exciting and innovative experiences,” said Nokia UK head Cormac Whelan. Speed Nokia stand MWC 20165G networks should offer customers faster speeds and lower latency, and will become especially pertinent through the Internet of Things over the next decade. Commercial 5G networks will offer speeds of at least 1Gbps, and have 1,000 times more capacity than 4G networks. Such speeds would allow for the simultaneous streaming of data-heavy content such as virtual reality or live 360 degree video to any device, while greatly reduced latency would mean real-t...
Post a Comment
Read more

Mourinho Officially Begins Work As United Manager Today

Jose Mourinho officially started work as Manchester United manager at the club's Carrington training base on Monday. The Portuguese travelled to Manchester by train on Sunday night and posted a video on Instagram showing his arrival at Picadilly station, saying: "I am here/UNITED we can". He arrived at Carrington with goalkeeping coach Silvino Louro on Monday morning.
Post a Comment
Read more