Skip to main content

New ransomware from the creators of Locky and Dridex discovered

The cybercriminals behind the Dridex and Locky malware have returned and this time they have launched a new ransomware that moves a victims' files into a password-protected archive.

The RockLoader malware is being used by the hackers to download an entirely new ransomware over HTTPS called Bart. The IT security firm Proofpoint first revealed the new ransomware in a blog post in which they said that it has a payment screen similar to Lock, but that it encrypts files before connecting to a command and control (C&C) server.

Last Friday, the firm discovered a large campaign using .zip attachments which contained JavaScript code. When opened, the attachments began to download and install RockLoader which would then download Bart.

The email messages used in the campaign had the subject “Photos” and contained the attachment “”, “”, “”, or “” JavaScript files such as “PDF_123456789.js” were contained within the attachment. To let users know that their systems have been infected, Bart changes their desktop wallpaper to an image that explains how they can pay the necessary ransom, three bitcoins or around $2,000, to unlock their files. It also leaves a file called recover.txt in may of the folders on their system.

The ransom note appears in a number of languages including Italian, French, German and Spanish. However, the malware also uses the system language to avoid infecting the systems of Russian, Ukrainian and Belorussian users.

In regard to the targets of the campaign, Proofpoint's researchers said: “The first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, we do not expect Bart to remain this localised.”

Bart could also potentially be able to encrypt PCs behind corporate firewalls which is why the researchers suggest that: “organisations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables.”

Image Credit: Bacho / Shutterstock

Anthony Spadafora
After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal.