{
	"id": "1455a663-9d0d-4f80-94e5-94240372ca6f",
	"created_at": "2026-04-06T00:18:16.97619Z",
	"updated_at": "2026-04-10T03:21:35.449192Z",
	"deleted_at": null,
	"sha1_hash": "2a090b2d0eb40fd0d14207fc45f4847f27f05e52",
	"title": "Locky Bart ransomware and backend server analysis | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1955130,
	"plain_text": "Locky Bart ransomware and backend server analysis |\r\nMalwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2017-01-30 · Archived: 2026-04-05 15:56:21 UTC\r\nIn this post we will cover the Locky Bart ransomware. The developers of Locky Bart already had 2 very\r\nsuccessful ransomware campaigns running called “Locky” and “Locky v2”. After some users reported being\r\ninfected with Locky Bart, we investigated it to find the differences as to gain greater knowledge and\r\nunderstanding of this new version.\r\nThe Locky Bart ransomware has new features that are different from its predecessors. It can encrypt a machine\r\nwithout any connection to the Internet. It also has a much faster encryption mechanism.\r\nOur research would also indicate that the backend infrastructure of Locky Bart might be maintained by a different\r\nthreat actor than the original versions. While the internals of the malicious binary share a great number of\r\nsimilarities, there were some notable differences.\r\nThese included: Comments in the code of the application, but more notably the kind of software used in the\r\nbackend server.\r\nThis did not come as a surprise, as cyber-criminals are known to share, rent, sell, and even steal malicious code\r\nfrom one another.\r\nAnalysis of Locky Bart’s binary\r\nIn previous incarnations, Locky Bart used a simpler encryption process. They enumerated the files targeted for\r\nencryption, placed each in a password protected ZIP archive, and repeated this process until all the files were\r\nencrypted. The creators did not use the AES ZIP protection, but an older algorithm, and because of this,\r\nresearchers were able to make a decrypting application.\r\nLocky Bart performs a fairly straight forward set of actions to encrypt the victim’s files. They are as follows:\r\nWipe System Restore Points with VSSadmin.\r\nGenerate a seed to create a key to encrypt user’s files.\r\nEnumerate the files it wants to encrypt, skipping certain folders to speed it up.\r\nEncrypt the enumerated files with the generated key.\r\nEncrypt the key used to encrypt the files with a master key, which now becomes the victim’s “UID” used to\r\nidentify them.\r\nCreate a ransom note on the desktop with a link to a payment page and their “UID”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 1 of 14\n\nThe function used to generate a seed, which is used to create a key to encrypt the files with. It uses variables like\r\nsystem time, process ID, thread ID, Process Alive Time, and CPU ticks to generate a random number.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 2 of 14\n\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 3 of 14\n\nThe function used to enumerate and encrypt the files.\r\nLocky Bart will skip any folders with these strings in them.\r\nThe file-types that Locky Bart targets to encrypt.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 4 of 14\n\nThe string that Locky Bart uses to make a Ransom Note. The “khh5cmzh5q7yp7th.onion” is the payment server,\r\nand the “AnOh/Cz9MMLiZMS9k/8huVvEbF6cg1TklaAQBLADaGiV” is a sample UID that would be sent with the\r\nURL to the server for the victim to make a payment. Remember that the UID is only an encrypted version of the\r\nkey that can be used to decrypt a victim’s files.\r\nHow the creators of Bart Locky acquire the key is what differentiates this version from its predecessors. When the\r\nvictim of the ransomware visits the URL to make their payment for the ransom, they are unknowingly sending\r\ntheir decryption key to the criminals.\r\nLet’s break down the process in a more granular method, to better understand it.\r\nLocky Bart gathers information on the victim’s machine to create an encryption key.\r\nLocky Bart encrypts the user’s files using the seeded key created in the previous step.\r\nLocky Bart then encrypts the key that was used for the original encryption with a one way encryption\r\nmechanism, using the public key of a public / private key pair method. The private key for this second\r\nencryption resides on the malicious server and is never accessible to the victim.\r\nLocky Bart then generates a URL on the victim’s machine. It contains the link to a TOR cloaked .onion\r\naddress where the malicious backend website is hosted. This URL has a user ID within it. This UID is the\r\noriginal decryption key, in encrypted form.\r\nThe victims visits the .onion site and the malicious server harvests the encrypted UID.\r\nThis UID is useless to the victim though, because they do not have the private key to decrypt their files. However,\r\nthe ransomware creator’s server does, meaning his server can not only use the UID to identify the victim, but also\r\ndecipher the UID into their victim’s key upon payment of the ransom.\r\nIn the end, only the ransomware creators can decrypt the user’s files, and because of this feature, there is no need\r\nto access the malicious server to encrypt them.\r\nLocky Bart Software Protection technique\r\nThe Locky Bart binary also uses a software protection technique. This technique is known as code virtualization\r\nand is added to the Locky Bart binary by using a program called “WPProtect”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 5 of 14\n\nThis makes reversing the binary significantly more difficult to disassemble and complicates stepping through the\r\ncode, a technique used to understand what it does. Legitimate uses of this type of software are most typically seen\r\nin anti-piracy mechanisms. An example of a commercial version of this type of software would be Themida. The\r\nauthor of Locky Bart probably chose this particular anti-tampering mechanism as it is free, open source, and\r\nprovides many features. This adoption of software protection techniques is a troubling development. These\r\napplications, including WPProtect, make reversing and analysis significantly more challenging.\r\nThe Locky Bart server\r\nThe second half of Locky Bart is the server and backend. This server is used to provide the victims with a\r\npayment mechanism to pay the ransom.\r\nReceive the bitcoins used as a payment method.\r\nTransfer the bitcoins to other wallets.\r\nGenerate a decryption EXE for the victims.\r\nProvide the victims with the decryption EXE to the victims.\r\nAccrue additional information on the victims.\r\nThe Locky Bart backend runs on a framework called yii. Yii is a high-performance PHP framework best for\r\ndeveloping Web 2.0 applications.\r\nThis framework contains a wealth of information on the inner workings of Locky Bart.\r\nTheYii debug panel that contained extensive information about the configuration server. “\u003e\r\nAccess to this control panel revealed:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 6 of 14\n\nEvery configuration setting for all the software running on the server such as PHP, Bootstrap, Javascript,\r\nApache (if used), Nginx (If used), ZIP, and more.\r\nEvery request that was made to the server including their request information, header information, body,\r\ntimestamp, and where they originated.\r\nLogs that showed every error, trace, and debug item.\r\nAll the automated email functions.\r\nMYSQL Monitoring that showed every statement made and its return.\r\nLocky Bart stores information in a MYSQL database. The credentials to the MYSQL server reside in a “Config”\r\nPHP file in the “Common” folder of the site. An example path looks like the following: /srv/common/config/main-local.php\r\nThe contents of Locky Bart’s server MYSQL config file“\u003e\r\nThe information contained in the MYSQL database consists of the victims Unique IDentifier, the encryption key,\r\nBitCoin Address, Paid Status, and Timestamps.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 7 of 14\n\nA small part of the table holding the ransomware information in the database.“\u003e\r\nThe Locky Bart server also contains a second database that contains further information on the victims of the\r\nransomware.\r\nLocky Bart ransomware’s “Stats” table example.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 8 of 14\n\nA “ReadMe” file found on the server that seems to detail some features on the Stats database.\r\nThe Locky Bart server contains a “BTCwrapper.php” which used a “controller” method that exposes a BTC\r\nWallet Class that all other PHP files can call. This class initiates a connection to the Bitcoin servers through a\r\nusername and password. This class contained complete methods on controlling and using the main BTC wallet set\r\nup by the criminal to store all the money received. This wallet is emptied regularly. This class can create new BTC\r\nAddresses as well and had the ability to empty those wallets on payment to the main wallet. There were also\r\nmethods to check on the status of payments from each victim.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 9 of 14\n\nSome of the functions that the BTCWrapper Class calls.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 10 of 14\n\nThe first few functions of the BTCWrapper Class. The class uses CURL to contact a locally ran bitcoin server that\r\ncommunicates with the block chain.\r\nThe Locky Bart server had 2 Bitcoin addresses where victims’ payments were transferred to. The current one:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 11 of 14\n\nThe current BTC address associated with Locky Bart has accumulated $ 7,671.60 in its life time.\r\nAnd a second one, that was referenced in PHP configurations on the malicious server.\r\nAn older BTC address also associated with Locky Bart had accumulated $ 457,806.06.“\u003e\r\nThe server portion of this ransomware was configured to function very similar to a legitimate business. It mirrored\r\na “Support Ticket Department” where the user could contact the ransomware support for any issues they may have\r\nexperienced.\r\nThe process was completely automated. The user would get infected and visit the site as their ransom note\r\ninstructed. When they visited the site, the server would then generate their unique BTC address and present it to\r\nthem automatically.\r\nAfter this, if the user made the decision to pay the ransom, but if they had any questions, they could literally\r\ncontact support.\r\nIf they did indeed make the decision to pay, they would proceed to buy Bitcoins through the many methods\r\navailable (BTC ATM, LocalBitcoins – which allows you to meet people local to trade BTC for money or use\r\nbanks and wiring like Western Union, or buy them with a credit card online).\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 12 of 14\n\nOnce the user has the amount specified by the ransomware in their own BTC Wallet, they would then transfer the\r\nmoney from their wallet to the Payment Address the Ransomware Payment Page generated for them.\r\nThe Ransomware Server checks every few minutes if a payment has been made for any of its victims and if the\r\npayment had been confirmed. Once the server verifies a payment they mark that victim in the Database as “Paid”.\r\nWhen a victim is marked as “Paid” the server then generates a “Decryption Tool EXE” and writes the users\r\nEncryption Key in the binary of that exe, and presents a link to download it on the personal payment page of the\r\nvictim. Later when the victim checks their payment page again, they will see the link, download the tool, and\r\ndecrypt their files.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 13 of 14\n\nThe generation of the victim’s decryption tool on the fly.“\u003e\r\nConclusion\r\nThis research into Locky Bart ransomware gives a great view of the side of a ransomware operation that we\r\ntypically do not get to see, the backend. The criminals who run these operations do so on an extremely\r\nprofessional level, and users should always take an extra step in protecting themselves from these types of attacks.\r\nRansomware will continue to grow and get more advanced and users need to make sure they are protected in the\r\nform of backup’s, security application protection like Malwarebytes, and make sure they have some type of anti-ransomware technology protecting them from these advanced attacks. Users running Malwarebytes already have\r\nprotection from ransomware, as Malwarebytes is equipped with our anti-ransomware technology.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/"
	],
	"report_names": [
		"locky-bart-ransomware-and-backend-server-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434696,
	"ts_updated_at": 1775791295,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a090b2d0eb40fd0d14207fc45f4847f27f05e52.pdf",
		"text": "https://archive.orkl.eu/2a090b2d0eb40fd0d14207fc45f4847f27f05e52.txt",
		"img": "https://archive.orkl.eu/2a090b2d0eb40fd0d14207fc45f4847f27f05e52.jpg"
	}
}