Two relatively new ransomware variants have been neutralized by security researchers. New Bart and PowerWare ransomware decryption tools have now been released which will allow victims to recover their files without paying a ransom, even if a viable backup does not exist.
White hat hackers at AVG and Palo Alto Networks analysed the two new ransomware variants and discovered numerous flaws in the design of the malicious file-encrypting programs. The developers of Bart and PowerWare have been sloppy and have made coding errors and implemented their encryption technology poorly.
This is not unusual. New ransomware variants are appearing frequently, yet the first releases are often far from polished products. They contain numerous flaws which can be exploited to develop ransomware decryption tools. Unfortunately, the tools do not work for long. Ransomware authors are quick to fix flaws which renders the decryption tools useless.
PowerWare was first discovered in March this year, while security companies first identified Bart ransomware in June 2016.
PowerWare – or PoshCoder as it was formerly known – has been used in the United States to attack healthcare organizations. PowerWare uses the AES-128 algorithm to encrypt users’ files. However, a hard-coded key is used which has allowed security researchers to develop PowerWare ransomware decryption tools. While this is good news for victims, it will only be a matter of time before a new variant of the ransomware is released with this flaw corrected.
Researchers at AVG have also managed to crack a ransomware variant. Bart ransomware differs from most ransomware variants in its method of encryption. Bart locks user files in password protected zip files rather than resorting to powerful encryption algorithms.
Bart Ransomware – which adds the .bart.zip extension to locked files – has been cracked using brute force methods, which allows the long and complex passwords to be guessed. However, in order for the AVG ransomware decryption tool to work the victim must supply the tool with a copy of an encrypted files as well as the original unencrypted file.
The unencrypted file could be obtained from a backup, from the Internet in the case of a Windows file for example, or from an email account if the file has been sent to the victim via email. With both of these files, the tool will work, although it may take several days for the passwords to be cracked.