Locky Bart Ransomware Analyzed

Security researchers have completed an in-depth security analysis of the infamous Locky Bart ransomware strain which has been used to infect thousands of victims worldwide. Continue reading our article to find out more.

An In-depth Look Into The Locky Bart Ransomware

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

A team of malware researchers have shed some light on one of the famous strains of the Locky family of viruses – the Bart ransomware. The reports came after they researched the last version of it threat which is able to compromise target user data without an active connection to the remote malicious C&C server.

A notable change between the new iteration of the virus and previous samples is that the backend servers appear to be maintained by hosts that are not directly affiliated with the criminal operators of the malware. In previous version we have seen that the Bart ransomware places every affected file in a password protected ZIP archive. The weak algorithm has allowed security researchers to create a decryption tool. Newer versions have followed a new formula:

  1. A unique master encryption key is created for every affected host.

  2. The target user data is enumerated and encrypted.

  3. The used key is encrypted is encrypted using the master key which is associated with the unique ID.

  4. To prevent file recovery the encryption engine also deletes System Restore backups.

There are several important characteristics that sets it apart from some other viruses:

  • The Locky Bart ransomware gathers information from the infected machine to generate the unique encryption key. It then encrypts the master key using a public-private key pairing method. The private key is stored on the remote C&C remote server.

  • The ransomware creates a URL on the victim’s machine which contains a TOR link associated with the victim’s ID. When it is visited by the user the remote servers harvests the encrypted unique identification code. By following this procedure the users are actually sending out their private decryption key to the criminals via the network stream.

  • The Bart Locky ransomware uses code virtualization technology which is an anti-tampering mechanism primarily used as a software protection technique.

  • The remote C&C server uses its own payment mechanism. If a payment is initiated it is transferred to other wallets. The decryption application is automatically created when the payment has been processed.

  • The backend server uses several software, among them PHP, Bootstrap, Javascript, ZIP and other popular open-source software and frameworks. They contain information about every request including request information, body, header information, timestamp, Victim ID, encryption keys, Bitcoin addresses, payment status and etc.

  • According to the security experts the server part of the ransomware is designed to appear and function like a legitimate business. Every victim (also referred to as user or customer) is provided with a support section which is used to initiate contact if they have any concerns.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Avatar

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *