A new ransomware variant dubbed Karmen has made an appearance on the Dark Web. Interestingly, the strain automatically deletes the decryptor if a sandbox environment or analysis software is detected on the victim’s computer.
According to Record Future, the malware is a ransomware as a service (RaaS) offering derived from Hidden Tear, an open-source ransomware project. It encrypts files on the infected machine using the strong AES-256 encryption protocol. And because it automatically deletes the decryptor if a sandbox environment or analysis software is detected on the victim’s computer, these machines won’t get their files back, even if their owners pay the ransom.
Also of interest is Karmen’s user-friendly interface, geared to those with limited technical knowledge. It offers a dashboard with a graphical overview of relevant information, including the number of clients they have, how much money they’ve earned and updates to the Karmen software (updates are free). It also allows users to change the malware’s settings using a control panel, while a “Clients” page tracks computers infected with the virus, with a separate Bitcoin wallet for each victim. The whole package goes for just $175.
Recorded future said that so far, 20 copies of Karmen malware have been sold, while only five copies remain available to potential buyers.
As for attribution, on March 4, 2017, a member of the underground forum Exploit with the username Dereck1 mentioned the variant. Further investigation revealed that DevBitox, a Russian-speaking cyber-criminal, was the seller behind the kit.
“The seller has admitted he was only involved with web development and control panel design; the malware…was created by an unknown associate operating out of Germany,” said Diana Granger and Andrei Barysevich, researchers at Recorded Future, in an analysis. “The first cases of infections with Karmen were reported as early as December of 2016 by victims in Germany and the United States.”