- Slow Computer
- System crashes
- Connects to the internet without permission
- Installs itself without permissions
- Can't be uninstalled via Control Panel
Bart Ransomware is an incredibly dangerous infection that threatens the security of your personal files. According to our research, this dangerous infection is distributed by the same people controlling another infamous ransomware known by the name Locky, and they are responsible for a malicious banking Trojan, Dridex. Needless to say, the creator of this malware has no hesitation about attacking operating systems and making an illegal profit. We have found that this threat is spread via spam emails, and it hides behind an attachment that supposedly represents some kind of an attractive image (e.g., Photos.zip, Photo.zip, picture.zip, image.zip, etc.). What we recommend is erasing all spam emails that are sent by unfamiliar senders, and, if you open them, make sure you do not open suspicious attachments or click on suspicious links. If you do, all kinds of malware could be executed. Continue reading to learn more about ransomware, as well as the processes you need to initiate to remove Bart Ransomware.
Unlike other infamous threats from the same group (e.g., CryptoHitman Ransomware), Bart Ransomware does not need Internet connection, and it does not use complex algorithms to encrypt files. Because this threat does not communicate with a C&C (Command & Control) server, it can encrypt files even when you are offline, and, instead of using algorithms, it simply places all of the targeted files (individually) in a ZIP file archive that is password-protected. Therefore, instead of seeing normal files, you will see a bunch of ZIP archives that have the names of your personal files with the ".bart.zip" extension attached to them. Needless to say, the developers of this malicious ransomware will not give away this password for free. In fact, they might demand an incredibly large fee in return of this password. According to our research, the ransom might be anywhere between 2-3 bitcoins, which translates to around 1277-1916 US dollars. Obviously, this is a huge sum of money, and not all users will be able to pay it.
According to our analysis, Bart Ransomware avoids the files with these strings: AppData, Application Data, Boot, PerfLogs, Program Files (x86), Program Files, ProgramData, Recovery, System Volume Information, temp, tmp, $Recycle.Bin, Windows, and winnt. This means that your system files and applications (e.g., web browsers) will be untouched by this ransomware. The types of files that this threat targets, includes media files (e.g., .wma, .flv, .mp4, .mov, .avi), images (e.g., .bmp, .png, .gif), and documents (e.g., .docx, .pdf). Needless to say, these files are the most valuable and sensitive, which means that the ransomware has better chances of pushing you into paying the ransom by taking them hostage. Once the files are locked, Bart Ransomware creates message files (recover.bmp and Recover.txt) and changes the wallpaper image to introduce you to the demands. The files and the wallpaper are meant to push you into following a link, downloading a Tor Browser, typing in a unique address, and paying the ransom. Here is an excerpt.
It is possible that this message will be translated into different languages, but it is most likely that English is the main one. It was found that, upon execution, this threat checks the language of the operating system to check if it is Russian, Belarusian, or Ukrainian. If any of these languages are detected, the threat automatically terminates itself without encrypting any files. This suggests that this ransomware was developed in Russia, Belarus, or Ukraine.
Unfortunately, there is no good news with Bart Ransomware. If this threat successfully locks your personal files by placing a password over them, you are in trouble. It is impossible to “decrypt” files without the password, and even third-party decryption tools are unable to release the files corrupted by this threat. Although it seems that the only option you have is paying the ransom, we do not recommend it! Cyber criminals controlling the ransomware could take your money without providing you with a password in return, and so getting involved in the payment is risky. In the best case scenario, you have your files backed up, and you can easily access them from an external drive, cloud storage, etc. When it comes to deleting Bart Ransomware, this threat removes itself upon execution. So, all you need to do is delete the message files from your Desktop and restore your regular Desktop wallpaper.
N.B. You should scan your PC to check if other threats have invaded it. If they have, make sure you delete them ASAP.