Just in case last year’s Petya and Mischa ransomware-as-a-service variants weren’t enough, 2017 has added another member to this “family” of malware.
According to Recorded Future, the new variant, dubbed “Karmen”, has been advertised on underground forums by Russian-speaking cybercriminal “DevBitox” last month. That said, infections with Karmen have been reported in Germany and the United States as far back as December 2016.
Based on the open source ransomware proof-of-concept Hidden Tear, Karmen uses AES-256 bit encryption to lock the user out of his or her computer. As is typical with malware of this kind, it then offers a note with instructions about the amount of money needed to be paid to release the files. But it does go a step further, as in case it detects a sandbox environment or analysis software on the victim’s computer, Karmen automatically deletes its own decryptor.
Budding cyberextortionists can purchase this malware on the black market for a one-time fee of $175, and can use the tool without any sort of advanced technical knowledge. Karmen comes with a very user friendly dashboard, which gives at a glance access to the number of “clients”, amount of money received, and settings.
Users targeted with this particular variant will be confronted with a message, upon completion of the attack, warning them that any interference with the malware may lead to them permanently losing their files:
A list of all the characteristics for Karmen was provided to Recorded Future by creator DevBitox:
- Supports .NET 4.0 and newer versions
- Encryption algorithm: AES-256
- Adaptive admin panel
- Encrypts all discs and files
- Separate BTC wallet for each victim
- Small size
- Automatic deletion of loader
- Automatic deletion of malware (after payment was received)
- Minimal connection with control server
- Robust control panel
- Almost FUD (1/35)
- Automatic file decryption after received payment
- T2W compatible
- File extensions remain the same
- Detection of anti-debugger/analyzers/VM/sandbox
- Automatic deletion of decryptor if sandbox environment is detected on victim’s computer*
- Light version: obfuscation and autoloader only
- Full version: detection of analyzing software
*Or if an analyzing software is detected
Karmen relies on the presence of the .NET framework to work, and an active state of the PHP 5.6, MySQL, “file()” function. Beyond the first fee, all updates are free of charge.
Currently, there are three known indicators of the ransomware’s presence: joise.exe, n_karmen.exe, and build.exe. To identify the fact that the threat is genuine, they also come with MD5 and SHA1 hashes as follows:
- MD5: 9c8fc334a1dc660609f30c077431b547
- SHA1: dc875c083c5f70e74dc47373a4ce0df6ccd8ae88
- MD5: 56b66af869248749b2f445be8f9f4a9d
- SHA1: f79f6d4dd6058f58b384390f0932f1e4f4d0fecf
- MD5: 521983cb92cc0b424e58aff11ae9380b
- SHA1: 2a3477ea2d09c855591b3d16cfff8733935db50b
A demonstration of Karmen in action can be found on the Recorded Future YouTube channel. Although it was uploaded on the publication’s channel, the original video was produced by DevBitox as a way to market the ransomware.
At the time of this writing, 20 copies of Karmen have been sold, with five more available to potential customers. All is not lost however, as there are ways to counteract this attack.
Security researcher Michael Gillespie for example, has developed an encryption key generator aimed specifically at Hidden Tear-based ransomware variants, and is thus advising victims to contact him for help. Gillespie also developed a website which can identify which type of ransomware has infected the computer, based on either a ransom note or encrypted file sample. The site currently boasts that it can identify over 360 different "ransomwares", including last year's Petya companion, Mischa.
Free decryption tools are also available for certain types of ransomware via No More Ransom.