Ransomware can be a pain, especially for important or official files. One such ransomware, Bart, has been causing a lot of trouble due to its ability to work offline. Fortunately, for users affected by this ransomware, security firm Bitdefender has managed to build a free tool to help them decrypt affected files.
In support of the ‘No More Ransom’ initiative by Europol’s Europian Cyber Crime Centre, Bitdefender has collaborated with Europol and Romanian police to make this tool freely available at NoMoreRansom.org. They also claim that this tool works with encrypted files with the extensions “.bart.zip”, “.bart” and “.perl”. Quite possibly, the keys required to make the decryption process possible have been provided by the law enforcement authorities, who themselves might have obtained them during ongoing investigations.
What is Bart Ransomware?
Bart is a particularly notorious ransomware released in June 2016 by the same guys who were behind Locky. Most ransomware use RSA public key cryptography, which relies on an internet connection to access command and control servers to generate key pairs. Bart uses Advanced Encryption Standard to lock files within a ZIP archive, for which it does not require an internet connection and can lock the files offline as well.
It was not like this is the first time Bart is being decrypted. The initial implementation did have some kinks in its armour and was cracked by researchers at AVG using Brute force methods. But the Bart developers hit back by upgrading their cryptographic implementations using much stronger methods. It is this upgraded version which has now been successfully decrypted with the new tool.
Essentially, Bart works as follows:
- Deleting system restore points;
- Generates a seed to create an encryption key by using information retrieved from the target machine;
- Uses generated key to enumerate and encrypts files;
- Uses a master key to encrypt the key used to encrypt the files (this becomes the victim’s unique id – UID); and then
- Show ransom note and redirect to a .onion website (the URL contains the victim’s UID).
What can you do?
Even though the actual encryption on such ransomware methods is getting stronger by the day, it is fairly easy to avoid them if you follow standard security practices – like avoiding opening attachments from unrecognised sources. According to a Bitdefender analysis, the global losses incurred due to ransomware have reached $1 Billion and users are paying anything between $300 to $500 to get their files unlocked. And just in case you are one of the affected ones too, remember that you’ll only be empowering the malicious developers behind ransomware by paying the ransom. In many cases, holding on to the files until a decryption method is found has proven useful.