Bart targets Windows OS and is distributed via email attachments containing JavaScript that, when opened, installs RockLoader, a malware dropper that attackers have also used to infect victims with Locky and Dridex. Once downloaded, Bart will only run if the infected system language is not Russian, Ukrainian, or Belorussian. After the language check is complete, Bart begins encrypting targeted files and locking them into a password-protected ZIP file, appending each with a .zip extension. It is important to note that Bart does not connect to any C2 server prior to, during, or after the encryption process. Therefore, firewall configurations designed to block such traffic will not prevent this variant from encrypting files. It is recommended to block Bart at the email gateway by blocking zipped executables. Bart demands a ransom payment of 3 Bitcoin.

UPDATE 9/8/2016: A new version of Bart, dubbed Bart2, has been spotted in the wild by researchers at AVG. It encrypts files using RSA-4096 and appends .bart2 to the file names.

UPDATE 10/25/2016: .PERL, an offshoot of Bart2 ransomware was seen in the wild appending .PERL to encrypted file names.

  • ProofPoint provides more information about Bart here.
  • AVG provides a free decryption tool for Bart, along with instructions on how to use it, here.
  • Bitdefender also provides a free decryption tool for Bart, available here.