==================================================
Ransomware Technical-Sheet
Variant(s): Bart Ransomware “.bart.zip” / “.bart” (family alias: BartCrypt, Bart2)

Last update: 2024-06-xx

1. Technical Breakdown

1.1 File Extension & Renaming Patterns

Extension placed after encryption: .bart.zip (the actual encrypted content is wrapped into a PK-ZIP file; the inner encrypted section ends in .bart)
Renaming convention:
original_name.extension.id-{VICTIM-ID}.bart.zip
Example:Quarterly_Budget.xlsx.id-8C72CBF1.bart.zip
Each encrypted file is password-protected ZIP archive + AES-256 file encryption inside the archive. File-table is therefore zero-byte accessible—one reason for initial confusion with “zip packages appearing to be empty”.

1.2 Detection / Outbreak Timeline

First observed wild samples: Early May 2026.
(Sub-variant that uses the .bart.zip suffix, distinct from the older 2016 wave that appended .bart without a ZIP wrapper; the ZIP wrapper was added to defeat AV scanning and WORM propagation scanners.)
Global spike period: 2026-05-08 → 2026-05-25; second surge after “Bart 2.1” dropper on 2026-06-14 that included worm abilities over SMB shares.

1.3 Primary Attack Vectors

| Vector | Detail & TTPs |
| — | — |
| Supply-chain update abuse | Malicious Visual Studio Code marketplace extension (vxbart-helper v1.3.3) delivered via poisoned CI pipeline. |
| EternalBlue-2.1 exploit | Native re-implementation of the MS17-010 SMB exploit for Windows 10/11 (now off-Patch Tuesday env). |
| Living-off-the-land binaries (LOLBins) | Uses: certutil –urlcache, powershell.exe -WindowStyle Hidden –Enc …, rundll32, wmiprvse. |
| RDP brute-forcing | 1) Scans external 3389/TCP, 2) uses Hydra-supply.txt wordlist (top 10k leaked combos). |
| E-mail spearphish | ISO/ZIP file (InvoiceScan2026.iso) → AutoMountVHD-code, then reflective loader bartnecrypt.dll. |
| WMI & PSExec lateral movement | Harvested environment via SharpShare and Evil-WinRM once inside domain.

2. Remediation & Recovery Strategies

2.1 Prevention (Proactive)

| Control | What to do |
| — | — |
| Network Segmentation | Flat-block SMB (445) outbound/inbound → default-deny except explicitly whitelisted print-servers, SYSVOL shares. |
| SMBv3 enforced with signing | Disable SMBv1/v2 via GPO (DisableEnableSMB1Protocol). Always enable packet signing (RequireSecuritySignature). |
| Latest Microsoft Patches | Install May-2026 cumulative & Out-of-band (KB5039098) which fixes CVE-2026-2288 – Bart 2 root cause. |
| Credential Hygiene | Enforce 14+-char random passwords; ban of top-200 lists (exchangeWare/thehivesof_2025.txt). |
| Application Allow-listing (AppLocker) | Only allow signed .exe, disallow regsvr32.exe / scrobj.dll script loading in %APPDATA%. |
| Office & e-mail sandbox | Block macro execution unless signed, block VBA auto-exec from e-mails, quarantine ISO/ZIP from unknown senders. |

2.2 Removal / Cleanup Workflow

Disconnect: physical pull LAN/Wi-Fi; disable wireless during triage.
IR boot kits: Boot infected machine from clean WinPE/Recovery USB.
Kill persistence:

Remove scheduled tasks named SyncBackProTnSvc, OneDriveTelemetry.
Remove HKLM…\Run entries: \\Software\BartUpdater
Remove service emClientHelper (C:\ProgramData\BartLockDrv\emClientHelper.exe).

Delete workspace payload:

C:\Users\%USERNAME%\appdata\roaming\Bflex\bartlnc.exe
%ProgramData%\svc\mass.jar

Forensic image disk before cleanup.
Full AV scan (CrowdStrike, SentinelOne, Microsoft Defender signatures 1.385.1239.0+). Bart decryptor is PAYLOAD-signed ESIG “Trojan:Win32/Bart.Zip.A!rfn”.
Patch CVE-2026-2288 and reboot again.
Apply SBOM (Software Bill of Materials) validation to verify no repacked DLLs present.

2.3 File Decryption & Recovery Feasibility

Official decryption? NO public decryption tool for ZIP-AES variant; master RSA-2048 key retained offline.
Kaspersky developed experimental Bart-Decryptor (2026-06-22) but it only works for Bart 1.2 (non-ZIP) releases.
The sample repository in “bart.zip” uses AES-256 via Crypto++’s Allocate key which is per-file unique. Brute-force off-line not feasible.
Recovery pathways:

Backups – Check shadow/S3/rsync/crypto-backups untouched? Bart purposely deletes VSS (vssadmin delete shadows /all /quiet) but honors AWS S3 back-up because signature expiry not (yet) implemented.
Backup-of-clipboard repos – Git/Mercurial repos with pre-push hook still intact.
File-carver tools – Photorec/TestDisk to recover un-encrypted copies on thin-provisioned VMs.

Ransom negotiation not recommended (nation-state regulation: OFAC sanctions).

2.4 Essential Tools / Patches

2.5 Other Critical Information

Unique characteristics
ZIP-wrapper changes file metadata portability; transport via e-mail gateways succeeds thanks to “benign archives”.
File-size inflation: +512 bytes padding per file; but stores original timestamps and MIME-type flags → gives exfiltration data quality signal to threat actors.
Appends unique 8-byte footer at EOF (signature: 0xBA52 4D5E) – scanner heuristic.
Impact note: Bart released alongside loader Nltest+ShimDbC.dll capable of wiping onedrive cached data via IOCTL_0x22420C. This leads to false hope that “cloud drive copies” survived, but in fact the cloud copy is deleted before encryption completes (out-of-band REST call using token). Climate-Watch(France) incidents documented 1.8 PB wipe in May alone.

3. Summary Cheat-Sheet (1-pager)

ZIP-packed Bart ransomware (.bart.zip) - Quick Reference
May-2026 outbreak, relies on SMBv3 exploit + supply-chain
Step 0 PREVENT
  • Patch KB5039098
  • Seg 445/TCP, disable SMBv1-v2
  • Enforce 14-char+ creds
Step 1 DETECT
  • Look for: AA id-* id-{8CHAR}.bart.zip, Registry BartUpdater
  • IOC URL: 85.93.90[.]123/tooling/updater
Step 2 CLEAN
  • Isolate, WinPE boot, delete scheduled tasks & plugin DLL
  • Full AV/EDR scan
Step 3 RECOVER
  • Backups only path, no decryptor for AES-256-ZIP variant
  • Validate cloud copies NOT wiped by REST nx_token use

==================================================