View All R&D Articles

Bart Ransomware Infection And Decryption Services

July 26, 2016

Bart is a simple yet insidious ransomware program that locks files in encrypted, inaccessible archives until a ransom is paid. The software was likely developed by the same developers that created Locky, one of the most common and successful ransomware programs. However, unlike Locky, Bart doesn’t need to communicate with a command-and-control server. This makes it especially dangerous for businesses.

Because Bart functions independently from a command-to-control server, it can operate behind firewalls. You should block Bart before it runs if at all possible, but if it does infect your computer, we can help you explore your options. Call at 1-800-237-4200 to speak with a malware expert.

What is Bart Ransomware (And How Does It Work)?

Bart, like most ransomware programs, searches for files that match a given description, then encrypts those files, leaving them unusable. This means all files of certain extensions (e.g. .pdf, .xls, etc.) will be inaccessible until the victim acquires the key. To obtain the key, the victim must pay a ransom.

Some of the main features of Bart ransomware include the following:

  • The software enters computer through a ZIP attachment on an email.
  • The attachment contains a JavaScript file that, if executed, initiates the installation of Bart.
  • Unlike similar malware, Bart locks your files in encrypted, password-protected ZIP archives, rendering the files inaccessible. After the encryption, the naming format for the resulting ZIP archive is as follows:
  • The program does not utilize a public key and does not require communication with a command-and-control server. This makes it less expensive to operate and also allows Bart to infect computers that are protected by a firewall.
  • When installed, it erases as many shadow copies of encrypted files as it can find. This reduces the chances of a successful recovery.
  • Bart is extremely simple, but shares some features with Locky, including its ransom note. We believe that Bart was created by some of the programmers associated with Locky.

There is no known decryptor for the files that Bart has affected. However, it does not always delete every shadow copy of files, so some copies may be recoverable. Additionally,’s experts are researching new methods of recovery.

How Does Bart Ransomware Infect My System?

Bart infects your computer through an emailed ZIP attachment that contains a JavaScript file. If the JavaScript file is executed it downloads and installs a program called RocketLoader. RocketLoader then installs Bart, which locks away your files in ZIP archives that require a password to access.

The easiest way to avoid the ransomware is to avoid opening any files from sources that you don’t recognize. Up-to-date antivirus software may also eliminate some instances of Bart.

What Ransom Payment Does Bart Demand for Decrypting Files?

Bart demands a payment of three bitcoins (currently around $2000) through a Tor payment portal. Bitcoin is a difficult-to-trace currency, commonly used by ransomware developers. When the victim pays the ransom, the developers will give the user the password.

Bart targets the following extensions:

.123, .3dm, .3ds, .3g2, .3gp, .602, .aes, .ARC, .asc, .asf, .asm, .asp, .avi, .bak, .bat, .bmp, .brd, .cgm, .cmd, .cpp, .crt, .csr, .CSV, .dbf, .dch, .dif, .dip, .djv, .djvu, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .fla, .flv, .frm, .gif, .gpg, .hwp, .ibd, .jar, .java, .jpeg, .jpg, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg, .ms11, .MYD, .MYI, .NEF, .odb, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .p12, .PAQ, .pas, .pdf, .pem, .php, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .psd, .rar, .raw, .RTF, .sch, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vbs, .vdi, .vmdk, .vmx, .vob, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .zip

Can I Disable Bart Ransomware Encryption?

At this time, there is no known way to decrypt the affected files. It is possible that shadow copies of some files may be recovered, even though Bart attempts to delete all such copies after a computer is infected.’s decryption experts may be able to find shadow copies of your files that Bart was unable to locate. As a last resort, we can also help you arrange a safe, one-time payment of the ransom to restore your files to a functional state. However, time is an important factor, and we recommend taking immediate steps to resolve the infection.

If you suspect that Bart has infected your computer, we recommend turning it off and unplugging any backup devices. Call at 1-800-237-4200 to speak with an expert.