Researchers release free decryption tools for PowerWare and Bart ransomware

22.07.2016
Security researchers have released tools this week that could help users recover files encrypted by two relatively new ransomware threats: Bart and PowerWare.

PowerWare, also known as PoshCoder, was first spotted in March, when it was used in attacks against healthcare organizations. It stood out because it was implemented in Windows PowerShell, a scripting environment designed for automating system and application administration tasks.

Researchers from security firm Palo Alto Networks have recently found a new version of this threat that imitates a sophisticated and widespread ransomware program called Locky. It uses the extension .locky for encrypted files and also displays the same ransom note used by the real Locky ransomware.

This is not the first time the PowerWare/PoshCoder creators have imitated well-designed ransomware threats, probably in an attempt to convince users that there's no point in trying to recover their files without paying. In the past, they've used the CryptoWall and TeslaCrypt ransom notes.

Luckily, PowerWare is nowhere near as strong as the ransomware programs it impersonates. It uses the AES-128 encryption algorithm, but with a hard-coded key, which allowed the Palo Alto researchers to create a decryption tool that should work at least for this latest variant.

Also this week, researchers from antivirus firm AVG managed to crack another ransomware program called Bart that first appeared in June. This threat is notable because it locks files inside password-protected ZIP archives instead of using sophisticated encryption algorithms.

Bart infections are easy to identify because the affected files will have the extension .bart.zip appended to their original name and extension -- for example document.docx will become document.docx.bart.zip.

Bart's ZIP-based encryption uses a very long and complex password, but the AVG researchers have figured out a way to guess the key using brute-force methods. Their Bart decryption tool requires the user to have at least one unaffected copy of a file that has been encrypted.

The program compares the original version of the file with the archived and password-protected version and then proceeds to guess the password. The process can take up to several several days.

It should be fairly easy for users to find an unaffected version of a file that has been encrypted by Bart. This can be a document or picture received via email or downloaded from a known place on the Internet. It can also be one of the default sound files or wallpapers shipped with Windows and which can be copied from a clean computer.

While it's great that security researchers sometimes find implementation flaws in ransomware programs and manage to create free decryption tools, malware authors are usually quick to fix their errors. A tool that works for one variant of a particular ransomware program might not work for the next one, so it's always better for users to take preventive measures and avoid infections in the first place.

Lucian Constantin