Bart Ransomware (Win32/Filecoder.Bart) (Kidnapping) Resource Hacking
Posted on 08 November 2016
#!/bin/sh # # Bart Ransomware (Win32/Filecoder.Bart) (Kidnapping) Resource Hacking # # # Copyright 2016 (c) Todor Donev # <todor.donev at gmail.com> # https://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # # ## Thanks to Maya Hristova that support me. # # # Description: # Bart is a simple yet insidious ransomware # program that locks files in encrypted, # inaccessible archives until a ransom is paid. # Bart, like most ransomware programs, searches # for files that match a given description, then # encrypts those files, leaving them unusable. # This means all files of certain extensions (e.g. # .pdf, .xls, etc.) will be inaccessible until # the victim acquires the key. To obtain the key, # the victim must pay a ransom. # # Some of the main features of Bart ransomware # include the following: # o The software enters computer through a ZIP # attachment on an email. # o The attachment contains a JavaScript file # that, if executed, initiates the installation # of Bart. # o Unlike similar malware, Bart locks your # files in encrypted, password-protected ZIP # archives, rendering the files inaccessible. # After the encryption, the naming format # for the resulting ZIP archive is as follows: # original_name.bart.zip. # # Disclaimer: # This or previous programs is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use them at your own risk! # [todor@adamantium]$ strings bart.bin | grep -i -A 235 "Tahoma" # Tahoma # Control PanelDesktop # WallpaperStyle # TileWallpaper # AnOh/Cz9MMLiZMS9k/8huVvEbF6cg1TklaAQBLADaGiV # winnt # Application Data # AppData # PerfLogs # Program Files (x86) # Program Files # ProgramData # temp # Recovery # $Recycle.Bin # System Volume Information # Boot # Windows # .n64 # .m4u # .m3u # .mid # .wma # .flv # .3g2 # .mkv # .3gp # .mp4 # .mov # .avi # .asf # .mpeg # .vob # .mpg # .wmv # .fla # .swf # .wav # .mp3 # .qcow2 # .vdi # .vmdk # .vmx # .gpg # .aes # .ARC # .PAQ # .tar.bz2 # .tbk # .bak # .tar # .tgz # .rar # .zip # .djv # .djvu # .svg # .bmp # .png # .gif # .raw # .cgm # .jpeg # .jpg # .tif # .tiff # .NEF # .psd # .cmd # .bat # .class # .jar # .java # .asp # .brd # .sch # .dch # .dip # .vbs # .asm # .pas # .cpp # .php # .ldf # .mdf # .ibd # .MYI # .MYD # .frm # .odb # .dbf # .mdb # .SQLITEDB # .SQLITE3 # .asc # .lay6 # .lay # .ms11(Security copy) # .ms11 # .sldm # .sldx # .ppsm # .ppsx # .ppam # .docb # .sxm # .otg # .odg # .uop # .potx # .potm # .pptx # .pptm # .std # .sxd # .pot # .pps # .sti # .sxi # .otp # .odp # .wb2 # .123 # .wks # .wk1 # .xltx # .xltm # .xlsx # .xlsm # .xlsb # .slk # .xlw # .xlt # .xlm # .xlc # .dif # .stc # .sxc # .ots # .ods # .hwp # .602 # .dotm # .dotx # .docm # .docx # .DOT # .3dm # .max # .3ds # .txt # .CSV # .uot # .RTF # .pdf # .XLS # .PPT # .stw # .sxw # .ott # .odt # .DOC # .pem # .p12 # .csr # .crt # .key # !!! IMPORTANT INFORMATION !!! # All your files are encrypted. # Decrypting of your files is only possible with the private key, which is on our secret server. # To receive your private key follow one of the links: # 1. http://%s.tor2web.org/?id=%s # 2. http://%s.onion.to/?id=%s # 3. http://%s.onion.cab/?id=%s # 4. http://%s.onion.link/?id=%s # If all addresses are not available, follow these steps: # 1. Download and install Tor Browser: https://torproject.org/download/download-easy.html # 2. After successfull installation, run the browser and wait for initialization. # 3. Type in the address bar: # %s.onion/?id=%s # 4. Follow the instructions on the site. # !!! INFORMAZIONI IMPORTANTI !!! # Tutti i file sono criptati. # Decifrare dei file ? possibile solo con la chiave privata, che ? sul nostro server segreto. # Per ricevere la chiave privata seguire uno dei link : # 1. http://%s.tor2web.org/?id=%s # 2. http://%s.onion.to/?id=%s # 3. http://%s.onion.cab/?id=%s # 4. http://%s.onion.link/?id=%s # Se tutti gli indirizzi non sono disponibili, attenersi alla seguente procedura: # 1. Scaricare e installare Tor Browser: https://torproject.org/download/download-easy.html # 2. Dopo l'installazione di successo, eseguire il browser e attendere l'inizializzazione. # 3. Digitare nella barra degli indirizzi: # %s.onion/?id=%s # 4. Seguire le istruzioni sul sito # !!! INFORMATIONS IMPORTANTES !!! # Tous vos fichiers sont crypt?s. # D?chiffrer de vos fichiers est seulement possible avec la cl? priv?e, qui est sur notre serveur secret. # Pour recevoir votre cl? priv?e suivre l'un des liens: # 1. http://%s.tor2web.org/?id=%s # 2. http://%s.onion.to/?id=%s # 3. http://%s.onion.cab/?id=%s # 4. http://%s.onion.link/?id=%s # Si toutes les adresses ne sont pas disponibles, proc?dez comme suit: # 1. T?l?chargez et installez Tor Browser: https://torproject.org/download/download-easy.html # 2. Une fois l'installation r?ussie, ex?cutez le navigateur et attendez que l'initialisation. # 3. Tapez dans la barre d'adresse: # %s.onion/?id=%s # 4. Suivez les instructions sur le site. # !!! WICHTIGE INFORMATIONEN !!! # Alle Ihre Dateien werden verschl?sselt. # Entschl?sseln der Dateien ist nur mit dem privaten Schl?ssel, die auf unserer geheimen Server ist. # So empfangen Sie Ihren privaten Schl?ssel auf einen der Links folgen: # 1. http://%s.tor2web.org/?id=%s # 2. http://%s.onion.to/?id=%s # 3. http://%s.onion.cab/?id=%s # 4. http://%s.onion.link/?id=%s # Wenn alle Adressen nicht verf?gbar sind, gehen Sie folgenderma?en vor: # 1. Downloaden und installieren Browser Tor: https://torproject.org/download/download-easy.html # 2. Nach erfolgreicher Installation der Browser ausgef?hrt wird und f?r die Initialisierung warten. # 3. Geben Sie in der Adressleiste: # %s.onion/?id=%s # 4. Folgen Sie den Anweisungen auf der Website. # !!! Your personal identification ID: %s !!! # !!! La vostra identificazione personale ID: %s !!! # !!! Votre identification personnelle ID: %s !!! # !!! Ihre pers?nliche Identifikations ID: %s !!! # !!! Su identificaci?n personal ID : %s !!! # khh5cmzh5q7yp7th # DARKWEB ADDRESS: http://khh5cmzh5q7yp7th.onion/ # .bart # LOCKED FILE FORMAT: .bart.zip # .recover. # \. # recover.txt # ecover.bmp # ecover.txt # notepad.exe " [todor@adamantium]$ sed -i 's/khh5cmzh5q7yp7th/1234567890123456/g' bart.bin [todor@adamantium]$ strings bart.bin | grep -i -A 5 "personal" # !!! Your personal identification ID: %s !!! # !!! La vostra identificazione personale ID: %s !!! # !!! Votre identification personnelle ID: %s !!! # !!! Ihre pers?nliche Identifikations ID: %s !!! # !!! Su identificaci?n personal ID : %s !!! # 1234567890123456 # DARKWEB ADDRESS IS CHANGED TO: http://1234567890123456.onion/ (Invalid TOR address) # .bart # .recover. # \. # recover.txt [todor@adamantium]$ sed -i 's/.bart/.ethk/g' bart.bin [todor@adamantium]$ strings bart.bin | grep -i -A 5 "personal" # !!! Your personal identification ID: %s !!! # !!! La vostra identificazione personale ID: %s !!! # !!! Votre identification personnelle ID: %s !!! # !!! Ihre pers?nliche Identifikations ID: %s !!! # !!! Su identificaci?n personal ID : %s !!! # 1234567890123456 # DARKWEB ADDRESS IS CHANGED TO: http://1234567890123456.onion/ (Invalid TOR address) # .ethk # LOCKED FILE FORMAT IS CHANGED TO: .ethk.zip # .recover. # \. # recover.txt
