The cybercriminals behind the Dridex and Locky malware have returned and this time they have launched a new ransomware that moves a victims' files into a password-protected archive.
The RockLoader malware is being used by the hackers to download an entirely new ransomware over HTTPS called Bart. The IT security firm Proofpoint first revealed the new ransomware in a blog post in which they said that it has a payment screen similar to Lock, but that it encrypts files before connecting to a command and control (C&C) server.
The ransom note appears in a number of languages including Italian, French, German and Spanish. However, the malware also uses the system language to avoid infecting the systems of Russian, Ukrainian and Belorussian users.
In regard to the targets of the campaign, Proofpoint's researchers said: “The first campaign appears to largely be targeting US interests but, given the global nature of Locky and Dridex targeting and the available translations for the recovery files, we do not expect Bart to remain this localised.”
Bart could also potentially be able to encrypt PCs behind corporate firewalls which is why the researchers suggest that: “organisations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables.”
Image Credit: Bacho / Shutterstock