A new ransomware as a service (RaaS) called Karmen has been discovered by security researchers at Recorded Future. This service allows anyone, including novices, to set up an account and customize their own ransomware campaign.
The Karmen RaaS costs $175 and lets buyers set ransom prices, determine how long to give victims to pay and offers multiple ways to communicate with targets. The console also acts as a dashboard allowing subscribers to keep tabs on the number of clients they have and how much money they have earned.
“Karmen Ransomware is sold as a standalone malware variant, only requiring a one-time upfront payment, allowing a buyer to retain 100 percent of payments from infected victims,” according to Recorded Future. The ransomware is sold in both light and full versions, with the light version omitting sandbox identification functionality; therefore offering a much smaller file size.
Recorded Future said it discovered that the malware on March 4 being sold as a RaaS on underground forums by a Russian-speaking cybercriminal named DevBitox or Dereck1. “Further investigation revealed that DevBitox, a Russian-speaking cyber criminal, was the seller behind the Karmen malware,” wrote Diana Granger and Andrei Barysevich, researchers with Recorded Future who authored a report on the ransomware published Tuesday.
Not much is known about DevBitox, except for the fact the hacker was previously observed soliciting clients for various hacking services, also on the Dark Web. Karmen ransomware appears to be the hacker’s first commercial project, researchers said.
Karmen is tied to the open-source ransomware sample called Hidden Tear, which was released in August 2015 for education purposes by Turkish security researcher Utku Sen. Since its release it has inspired a flurry of spin offs.
The first cases of Karmen infections were reported December 2016 by victims in Germany and the United States, according to researchers. Karmen encrypts files on the infected PCs using the AES-256 encryption standard.
Karmen ransomware (or Hidden Tear ransomware) can be removed via a free tool available on NoMoreRansom.org. However, researchers said “at the moment the free method to decrypt infected machines is not available.”
Karmen does have a number of distinguishing features including one that automatically deletes the decryptor if a sandbox environment or analysis software is detected on the victim’s computer. According to information on the Dark Web, Recorded Future believes there have only 20 versions of Karmen sold by the specific reseller identified as DevBitox, with only five remaining copies for sale.
“To provide consistent quality of service and ongoing maintenance, it is common for developers to limit the number copies sold to customers,” researchers said.
At this time, Karmen’s infection chain is currently unknown. It’s also unclear how many victims have been infected with the Karmen malware.