Users who have had their files encrypted by any version of the Bart ransomware program are in luck: Antivirus vendor Bitdefender has just released a free decryption tool.
The Bart ransomware appeared back in June and stood out because it locked victims' files inside ZIP archives encrypted with AES (Advanced Encryption Standard). Unlike other ransomware programs that used RSA public-key cryptography and relied on a command-and-control server to generate key pairs, Bart was able to encrypt files even in the absence of an internet connection.
The original implementation of Bart did have some weaknesses and security researchers from antivirus firm AVG, which is now part of Avast, created a tool that could guess the password for the ransomware's archives using brute-force methods. The decryptor required the user to have at least one unaffected copy of a file that had been encrypted.
In later versions, the Bart developers changed their crypto implementation, rendering the AVG decryptor ineffective. According to Catalin Cosoi, chief security strategist at Bitdefender, the encryption used by the latest Bart variants is strong and has no obvious flaws.
Despite that, Bitdefender was able to create a decryption tool after the Romanian police provided them with the necessary keys, which were probably obtained during an investigation. The company credits collaboration with the Romanian Police and Europol for its success in creating the tool.
The tool was published on NoMoreRansom.org, a support website for ransomware victims that's maintained by a coalition of security vendors and law enforcement agencies. The website has prevention advice as well as a set of decryption tools that work for various strains of ransomware.
Some researchers believe Bart to be related to another widespread ransomware program, called Locky, that has affected many organizations in 2016. Files affected by this program have the .bart.zip, .bart and .perl extensions.
As always, having a backup plan in place is the best approach to deal with potential ransomware infections, rather than hoping for a free decryption tool that might or might not work for the particular variant that ends up affecting your files.
In the absence of backups, security experts advise against paying ransom because it encourages cybercriminals and doesn't always result in file recovery. The affected files should be saved though in case a solution to recover them is found at a later date.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.