Another ransomware tool has been added to the ever-growing encryption ransomware market with the introduction of the Bart encryption ransomware. Named by its creators in its ransom payment interface as well as in the extension given to its encrypted files, the Bart encryption ransomware has leveraged some distinctive mechanisms for delivery during its early deployments. Furthermore, this ransomware shares some interface elements that evoke the same look and feel used by the Locky encryption ransomware ransom payment interface. In many ways the Bart encryption ransomware is a very mainstream encryption ransomware in both the files it targets for encryption (a full list of these file extensions is included at the end of this post) as well as its demand for a sizable Bitcoin ransom. However, a number of elements related to this encryption ransomware are noteworthy when viewed through the lens of recent developments in the phishing threat landscape.
Reuse of infrastructure supporting malware distribution is a well-documented characteristic of online crime and a key way to track and classify threat actors. While it may seem simplistic for monitoring threat actor activities, the IP addresses, domains, hostnames, and URLs contacted by malware tools betray a significant amount of information about threat actor groups. For some malware attacks, it’s possible to determine the threat actor’s identity based on the infrastructure used, but, other times, the lines are blurred because some organizations harbor cyber criminals.
On February 16, 2016, PhishMe’s Intelligence team identified a number of significantly large sets of emails delivering Word documents containing macro scripts used to download a malware payload. This malware delivery technique has been ubiquitous among many threat actors over the past year but has been most prolifically used by threat actors delivering the Dridex financial crimes trojan. The scope of Locky’s delivery in its first full day of deployment is staggering. As our friends at Palo Alto Networks have shown, over 400,000 endpoints around the world were affected by this encryption ransomware in mere hours. As we pointed out in our recent piece on Dridex, nearly three quarters of Dridex samples in 2015 where delivered using some form of Office documents using macro scripts as a download tool.
From time to time, there will be an overlap with malware infrastructure where one attacker will compromise another attacker’s infrastructure. Typically, this is part of the “compromised infrastructure” which can fluctuate, and attackers have even been seen to uninstall one another’s malware. However, in this case, we strongly believe that the actors are experimenting with Dridex, Pony, and Neutrino.