bart - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: Ransomware families that are historically associated with the .bart extension (sometimes reported as .bart.zip) append the exact suffix .bart to every encrypted file.
Renaming Convention:
Original file names are preserved, but each file receives an additional second extension placed directly after the existing one.
Example transformation:
Budget_Q2_2024.xlsx → Budget_Q2_2024.xlsx.bart
Folders normally also contain ransom notes named recover.txt, readc.txt, or very similar.

Approximate Start Date/Period: First samples that produced the .bart extension appeared near the end of June 2016 (“Bart”).
A second wave using essentially the same name but updating the loader/payload surfaced again in March 2017. Since then, only sporadic sightings have occurred; however, new incidents periodically show up in public telemetry in 2023–2024 due to re-use in commodity Ransomware-as-a-Service (RaaS) bundles.

Propagation Mechanisms:
Exploit kits (RIG, Angler in 2016) – drive-by download of a single ZIP containing a malicious JavaScript which retrieves the Bart payload.
Spam/phishing campaigns – e-mails carrying password-protected archive (Invoice_[date].zip) → JavaScript → Bart EXE.
Cracked-software bundles & warez sites – droppers packaged with pirated copies of Adobe, MS Office, game plugins.
Weak RDP / VNC credentials – brute-forced open Remote Desktop ports (TCP 3389) allow adversary to manually drop bart.exe in %TEMP% and run it.
No wormable exploit – unlike WannaCry (EternalBlue), Bart did not include lateral-traversal code, so attackers relied on user action or stolen credentials.

Disable SMBv1 (server and client) across all Windows machines; Bart families did not exploit SMB, but disabling it reduces the overall ransomware attack surface.
Disable Office macros by default via Group Policy; Bart’s primary payload often starts with a malicious script inside a macro.
Filter e-mail attachments: block executable content (.js, .exe, .bat, .ps1), enforce archive extraction from protected view.
Restrict RDP exposure:
– never expose TCP-3389 directly to the Internet; require jump boxes + MFA or VPN;
– enforce Network Level Authentication (NLA);
– use strong, unique passwords; audit failed logons.
Apply principle of least privilege – run under limited local or domain users; ransomware iterating from a standard user can seldom touch Shadow Copies stored under SYSTEM.
3-2-1 Backups: 3 copies of data, 2 different media, 1 off-network/offsite + periodic restore tests.

Physically isolate the infected machine: unplug Ethernet or disable Wi-Fi; shutdown shares.
Identify the Bart process tree: via Windows Task Manager, Sysinternals Process Explorer or Autoruns; look for bart.exe, randomly-named 8–12-character EXE, or unexpected PowerShell/WMIC children.
Terminate payload: right-click → Kill Process Tree in Process Explorer, or force-quit via Task Manager.
Delete persistence:

Run Autoruns → Scheduled Tasks, Run Keys, Services – delete any entry that points to the dropped Bart executable.
Remove entry in “Startup” or “Task Scheduler” named chromeinstall, svchostupd, or similar random names.

Boot into Safe Mode (no networking) to be sure no malicious service reloads the payload. Run a full scan with Malwarebytes, ESET, Bitdefender, or Windows Defender Offline.
Restore clean restoration point if created immediately prior to infection.
Re-provision if unsure: for high-value systems, wipe OS partition and reinstall from known-good images.

Recovery Feasibility:
Bart v1, active 2016 – DECRYPTABLE. A free decryptor was released by Avast in November 2016. It works because Bart uses a ZIP container wrapped around AES, with a simple master key recovered from embedded DLL.
Bart v2 (“Bart 2.0”) referenced in 2017 onward changed key management and is NOT reliably decryptable.
Tools:
avast-decryptor-bart.exe – standalone; requires at least one intact original file (known-ciphertext, plaintext) for offline verification. Downloader link (mirror): https://decoded.avast.io/jakubkroustek/bart-decryptor/
Stand-alone experts can attempt manual ZIP password recovery through known C2 private keys leaked in 2016 dumps; outcome limited to Bart v1.
If ransom note demands.contact e-mails include @protonmail.com or @keemail.me the sample is Bart v1, hence usable with the tool above.
Essential Patches: Ensure Windows 7/8/10/11 & Office are fully patched (especially MS16-122, MS16-145). Update e-mail filters and endpoint agents to latest virus definitions.

Unique Characteristics
Bart is archive-based ransomware: it does not encrypt each file inplace; instead, each original file (say, 100 MB) is compressed into a 100 MB+aes ZIP file, then the original is deleted. This means tools such as Recuva or ShadowExplorer might sometimes retrieve pre-encryption files even after Bart has run—particularly if SDELETE or manual cleanup did not follow.
In Bart v1, the ransom note (recover.txt) contains ASCII art skulls, unlike most modern ransom notes.
Bart does not set custom desktop wallpaper; victims discover the infection only after attempting to open encrypted files and launch them from .bart.zip.
Broader Impact
Compared to contemporaneous outbreaks (Locky, Petya), Bart’s infection rate was modest, but it popularized the “ZIP-and-delete” pattern later mimicked by SigmaLocker, ACCDFISA, and certain PowerShell variants.
Recent underground ads in 2023—marketed under banners like “BartReloaded”—show that the branding has been leveraged for non-technical threat actors renting the package, indicating ongoing, though small-scale, resurgence.

Executive Summary:

Confirm presence of .bart extension; if timestamped 2016-era samples, run the Avast decryptor immediately.
Any .bart appearing in 2023-24 is likely a rebrand or derivative—assume it is not decryptable.
Rely on immutable / segregated backups and the prevention checklist above to minimize the re-emergence of Bart—old, but always adaptable.

Stay vigilant.