Remove Bart Ransomware and Restore .bart.zip Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Bart Ransomware and Restore .bart.zip Files

bart-main-wallpaper-sensorstechforumRansomware variant which demands 3 BTC to unlock .bart.zip encrypted files has been reported to be a serious cause of concern by experts. They have dubbed this malware with the nickname Bart and confirmed that it uses malicious JavaScript attacks to spread. After infection, Bart Ransomware drops a text document and changed the user’s wallpaper to it’s ransom note. It is strongly advisable to read this article and learn how to remove Bart ransomware from your computer and restore .bart.zip files.

Threat Summary

NameBart
TypeRansomware
Short DescriptionEncrypts the user’s files with a strong encryption algorithm and requests to contact e-mail address to make a ransom payoff of approximately 2000 dolalrs in BitCoin.
SymptomsFiles are encrypted and become inaccessible and a .bart.zip file extension is being added to them. A ransom note is left as a text file as well as a wallpaper.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Bart

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Bart Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Bart Ransomware – How Is It Spread

To infect users, the makers of this ransomware variant utilize massive spam campaigns which include .zip attachments, containing malicious JavaScript code In them. If the user trusts the spam message and carelessly opens it, he will immediately get infected with a loader, known as RockLoader, which will drop Bart Ransomware’s payload files and activate it. The e-mail messages being spread have been reported to carry the mail subject Photos and the .zip attachments are believed to contain names similar to the following:

  • Photo
  • Photos
  • Picture
  • Image

In the archives, the user may find a .js file which may have a random name, for example, JPG_9834124.js.

Bart Ransomware In Depth

After it has been dropped, Bart ransomware may be situated on one of these key Windows folders:

  • %AppData%
  • %Roaming%
  • %Temp%
  • %Local%
  • %Desktop%

The files dropped by Bart may activate its encryption module which looks for approximately 140 file types to encrypt:

.123, .3dm, .3ds, .3g2, .3gp, .602, .aes, .arc, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .cmd, .cpp, .crt, .csr, .csv, .dbf, .dch, .dif, .dip,
.djv, .djvu, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .myf, .myi, .nef, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .p12, .paq, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .psd, .rar, .raw, .rtf, .sch, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .zip Source: ProofPoint.com

After encrypting these types of files, Bart Ransomware drops the following files onto the user’s computer:

  • Recover.txt
  • Recover.bmp

The recover.txt file contains the same message as the .bmp file which is set as a desktop wallpaper. It contains the ransom note which is the following:

All your files are encrypted.
Decrypting of your files is only possible with the private key, which is on our secret server.
To receive your private key follow one of the links:
{4 web links here}
It fall addresses are not available, follow these steps:
1. Download and install Tor Browser: https://torproject.org/download/download-easy.html
2. After successful installation, run the browser and wait for initialization.
3. Type in the address bar:
{randomly generated web links here}
4. Follow the instructions on the site.
!!! Your personal identification ID: {random alpha numerical ID} !!!” Source: Infected Users

When connected to the ransomware’s payoff web page, the following picture is displayed:

Bart-vs-Locky-sensorstechforum-decryptor

As visible it gives users instructions to pay the ransom money by converting them ultimately to BitCoin. The sum requested by this virus is approximately 3 BTC, which is at the time of writing this ~2000 US dollars. Also, the instructions point out to downloading a decryptor with almost the same instructions as Locky‘s Decryptor.

This strongly suggests that this ransomware virus may be a variant of the notorious Locky Ransomware, which has made a massive impact on users. This strongly suggests that Locky ransomware may have been released for sale in the black markets of the deep web. It also means that Bart ransomware may have used an AES-128 to encrypt the files of the victims after which it adds the .bart.zip file extension, for example:

New Text Document.txt.bart.zip

Bart Ransomware – Conclusion, Removal, and File Restoration

Just like with Locky ransomware, this virus uses the same overlay for the HTML web page as well as the same ransom note. This strongly suggests that it has either been created by the same cyber criminals, or used by “clients” who may have purchased it as a RaaS (Ransomware-as-a-Service).

If you have been infected with Bart ransomware, you should know that paying the cyber-criminals is a risky process, because of several obvious reasons:

  • You lay your trust to people who hacked your computer.
  • There is no guarantee of getting the money back.
  • You support them in making money and most likely investing it in making more malware.

This is why Bart Ransomware should immediately be removed from your computer. To do this effectively, we strongly advise for following the instructions after this article and making sure all files related to Bart are permanently remove. The most effective way for that is to use an anti-malware program which is what experts would do since multiple infections may drop more than one files in different folders and modify various registry keys.

To try and restore your files, unfortunately like Locky, direct decryption will not work for you. This is why we strongly recommend to you to try our alternatives for restoring files encoded by Bart Ransomware. Before attempting them you should know that there is no guarantee that you will get all of your files back, it is just a last resort method which may or may not work for you. Since some of the users on our forums have reported restoring several files this way, we advise trying the methods in step “3. Restore files encrypted by Bart” below.

Manually delete Bart from your computer

Note! Substantial notification about the Bart threat: Manual removal of Bart requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Bart files and objects
2.Find malicious files created by Bart on your PC
3.Fix registry entries created by Bart on your PC

Automatically remove Bart by downloading an advanced anti-malware program

1. Remove Bart with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Bart in the future
3. Restore files encrypted by Bart
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.