Karmen Ransomware, a cheap RaaS service that implements anti-analysis features

Experts at Recorded Future have discovered a cheap RaaS, the Karmen Ransomware that deletes decryptor if detects a sandbox.

Security experts from threat intelligence firm Recorded Future have spotted a new ransomware as a service (RaaS) called Karmen. The service allows customers to easy create their ransomware campaign in a few steps and without specific skills.

Wannabe-crooks also track infected systems via a “Clients” tab, the Dashboard implements an efficient and easy to use cockpit that include various information such as the number of infected machines, earned revenue, and available updates for the malware.

The Karmen RaaS is very cheap, it costs just $175, buyers can decide the ransom prices and the duration of the period in which the victims can pay the ransom.

The Karmen ransomware is based on the open-source ransomware Hidden Tear, which was released in August 2015 by the Turkish security researchers Utku Sen for educational purposes.

The first Karmen infections were reported in December 2016, the malware infected machines in Germany and the United States.

The Karmen ransomware is a multi-threaded and multi-language ransomware that supports .NET 4.0 and uses the AES-256 encryption standard.

The malware is .NET dependent and requires PHP 5.6 and MySQL.

“On March 4, 2017, a member of a top-tier cyber criminal community with the username “Dereck1” mentioned a new ransomware variant called “Karmen.” reported a blog post published by Recorded Future.

“Further investigation revealed that “DevBitox,” a Russian-speaking cyber criminal, was the seller behind the Karmen malware on underground forums in March 2017.”

“However, the first cases of infections with Karmen were reported as early as December 2016 by victims in Germany and the United States.”

Once infected a machine, the ransomware displays a ransom note with payment instructions, unlike similar malware, the Karmen ransomware automatically deletes the decryptor when detecting a sandbox environment or any other analysis software.

“A notable feature of Karmen is that it automatically deletes its own decryptor if a sandbox environment or analysis software is detected on the victim’s computer.” continues the blog post.

Below the list of ransomware features provided by DevBitox:

  • Multi-threaded
  • Multi-language
  • Supports .NET 4.0 and newer versions
  • Encryption algorithm: AES-256
  • Adaptive admin panel
  • Encrypts all discs and files
  • Separate BTC wallet for each victim
  • Small size
  • Automatic deletion of loader
  • Automatic deletion of malware (after payment was received)
  • Minimal connection with control server
  • Robust control panel
  • Almost FUD (1/35)
  • Automatic file decryption after received payment
  • T2W compatible
  • File extensions remain the same
  • Detection of anti-debugger/analyzers/VM/sandbox
  • Automatic deletion of decryptor if sandbox environment is detected on victim’s computer*
  • Light version: obfuscation and autoloader only
  • Full version: detection of analyzing software

The ransomware is available for sale in both light and full versions, the light version doesn’t include anti-analysis features.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X