Researchers discovered a new strain of ransomware called "Bart" - no kidding.
The Russian Cyber Mafia behind Dridex 220 and Locky are using the RockLoader malware to download Bart over HTTPS. Bart has a payment screen like Locky but encrypts files without first connecting to a command and control (C&C) server. It spreads with .zip attachments containing JavaScript Code and use social engineering to trick users into opening the attachments. Here is how they look:
and the desktop background is replaced with the recover.bmp file:
Ransom is currently sitting at 3 bitcoins (just under $2000), no free decryption is available. The payment portal is nearly identical to Locky's but has a very unique ransomware code.
While we are still investigating the technical details of this new ransomware, the connections between Bart and Dridex/Locky are significant. Because Bart does not require communication with C&C infrastructure prior to encrypting files, however, Bart may be able to encrypt PCs behind corporate firewalls that would otherwise block such traffic. Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables. We will continue to monitor and analyze Bart as additional campaigns and details emerge.
Since phishing has risen to the #1 malware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must.
For instance, KnowBe4's integrated training and phishing platform allows you to send attachments with Word Docs with macros in them, so you can see which users open the attachments and then enable macros!
See it for yourself and get a live, one-on-one demo.
