Secdo Blog

To Outsmart Bart (Ransomware), You Need to Be as Unpredictable as He Is

The new kid on the ransomware scene is Bart. Like its’ presumed namesake, Bart Simpson, Bart Ransomware doesn’t do what’s expected. Most ransomware families use cryptography (such as AES) to encrypt a victim’s files. Instead, Bart adds each file to a password-protected ZIP file archive.

According to ProofPoint, Bart is distributed by the same people that are responsible for distributing Locky and Dridex. But unlike those common ransomware variants, Bart does not communicate with a command & control server, making it able to encrypt files even when it can’t access the network because of firewall configuration. The ransomware generally enters through an email attachment that contains an executable Javascript masquerading as photos.

How to Detect Malware – Deception and Manipulation

When it comes to detecting malware, security solutions tend to be one step behind. Next generation technologies have gone beyond signatures to search for more flexible indicators such as suspicious behaviors. But a suspicious activity isn’t necessarily ransomware. So depending on how permissive a policy you set, this approach alone will either result in false positives, or the occasional mistake. Missing ransomware is a very costly mistake.
This is where SECDO’s behavior manipulation comes into play. SECDO randomly generates thousands of virtual traps in memory at the kernel level, making it impossible for ransomware to differentiate between real objects and virtual objects. When ransomware attempts to modify or access these objects, SECDO’s IceBlock immediately freezes all entities (threads, processes, services) related to the ransomware before they get a chance to do any damage. With this approach, ransomware authors simply cannot predict how to avoid detection.

Trust Me, I Never Lie

We love Bart Simpson, but we’d rather avoid his namesake. Contact us to see for yourself how SECDO detects and blocks ransomware.