.perl Virus Removal - New Bart Ransomware - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

.perl Virus Removal – New Bart Ransomware

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Bart Ransomware and other threats.
Threats such as Bart Ransomware may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

stf-bart-ransomware-perl-perl-locky-virus-decryptor-page-ransom-instructions

Bart ransomware has been discovered in the wild by the malware researcher Jakub Kroustek from Avast. The new string of malware encrypts files with the .perl extension. Seems identical to Locky ransomware in its note and payment instructions page. To see how to remove the virus and how you can try to restore your files, read the whole article.

Threat Summary

NameBart Ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts your data and then displays a ransom message with instructions for payment.
SymptomsEncrypted files will have the .perl extension appended to them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Bart Ransomware

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Bart Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Bart Ransomware – Infection

Bart ransomware could infect your computer machine using various ways. Spam emails could be spreading the payload file. Such spam letters are written to make you think that they are urgent and their attachment must be opened. The attached file will look as a normal document, in most cases, but in actuality contains malicious code. If you open the file from the email’s attachment, you will infect your computer.

Other infection methods for the Bart ransomware could be initiated. FThe malware makers could be distributing the payload file through social media and file-sharing sites. That file could be placed in such platforms in an attempt to infect more computer systems. When surfing the Web, try to be more careful. Do not open files from suspicious links or e-mails. Always scan files with security software and check their signatures and size before opening. You should read the ransomware preventing tips in the corresponding forum thread.

Bart Ransomware – Details

The malware researcher Jakub Kroustek has found a malware sample of this new variant of Bart ransomware. As previous variants, it uses the design of the Locky ransomware virus for its payment page and ransom note, but it is not a full copycat as it uses its own name and extension.

After Bart ransomware executes its payload, it probably makes entries in the Windows Registry for achieving resilience. Those registry entries are designed in a way to make the cryptovirus auto-launch with every boot of the Windows operating system. Next, your files will get encrypted, and then the ransom message will appear as your new desktop background. The ransom message is stored in the files named recover.bmp and recover.txt – the same as the first Bart ransomware variant.

You can preview the ransom message from the below picture:

stf-bart-ransomware-perl-perl-extension-ransom-note-locky-copycat

The text reads the following:

!!! IMPORTANT INFORMATION !!!

All your files are encrypted.
Decrypting of your files is only possible with the private key, which is on our secret server.
To receive your private key follow one of the links:
1. http://uk74sqtx2ynr2nzb.onion.gq/?id=[Redacted] 2. http://uk74sqtx2ynr2nzb.onion.nu/?id=[Redacted] 3. http://uk74sqtx2ynr2nzb.onion.cab/?id=[Redacted] 4. http://uk74sqtx2ynr2nzb.onion.to/?id=[Redacted]

If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: uk74sqtx2ynr2nzb.onion/?id=[Redacted] 4. Follow the instructions on the site.

!!! Your personal identification ID: [Redacted] !!!

Bart uses the same layout with instructions for paying the ransom as its past variants, which is a copy of the one that Locky uses:

stf-bart-ransomware-perl-perl-locky-virus-decryptor-page-ransom-instructions

The Bart virus demands payment of 1 Bitcoin, which is equivalent to around 660 US dollars since the writing of this article. No deadline is given to victims for payment, no threats are made, and a promise for a working decryptor is put on the pay site if you decide to buy it. However, you shouldn’t be thinking of supporting extortionists, as they are criminals and the money can be used in the creation of new ransomware projects. No one can guarantee that you will restore your files if you pay.

Currently, a full list with file types that this ransomware encrypts does not exist, and the article will be updated with such if information comes out. Despite that, files with the following extensions will surely get encrypted:

→.png, .doc, docx, .jpeg, .bmp .jpg, .mp3 .pdf, .psd, .rtf, .html, .xls, .xlsx, .ppt, .pptx

All encrypted files will have the .perl extension appended to them, right after the original file extension. It is unknown what encryption algorithm is being used by the virus, and the ransom note doesn’t state any.

The Bart ransomware is very likely to erase the Shadow Volume Copies of the Windows operating system with the following command:

→vssadmin.exe delete shadows /all /Quiet

Keep on reading to check what methods you can try to decrypt your files and bring them back to normal.

Remove Bart Ransomware and Restore .perl Files

If your computer got infected with the Locky ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Bart Ransomware.

Note! Your computer system may be affected by Bart Ransomware and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Bart Ransomware.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Bart Ransomware follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Bart Ransomware files and objects
2. Find files created by Bart Ransomware on your PC

IMPORTANT!
Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Bart Ransomware

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...