A new cheap Ransomware-as-a-Service (RaaS) has been detected by security experts from the threat intelligence firm Recorded Future. Dubbed Karmen, the RaaS it able to automatically delete the decryption tool in case it detects a sandbox.
Karmen allows cybercriminal wannabes to easily create their own ransomware campaign at the price of $175. The whole process consists of just a few simple steps and does not require any professional skills in the field. Potential buyers can determine the ransom amount as well as the deadline within victims must complete the payment.
Moreover, Karmen features a “Clients” tab that allows crooks to track the infected machines. They can easily get information about the exact number of victims, earned revenue and available updates for the ransomware.
Karmen RaaS is based on the open-source Hidden Tear ransomware. Hidden Tear first appeared in August 2015, released by the Turkish security researcher Utku Sen for educational purposes. Karmen`s first victims were reported in December last year when researchers detected infected machines in the USA and Germany.
Karmen is a multifunctional and multilingual ransomware. It uses the AES-256 encryption algorithm and supports .NET 4.0. The malware is also .NET dependent and requires MySQL and PHP 5.6.
“On March 4, 2017, a member of a top-tier cyber criminal community with the username “Dereck1” mentioned a new ransomware variant called “Karmen.” – Recorded Future stated in a blog post – “Further investigation revealed that “DevBitox,” a Russian-speaking cyber criminal, was the seller behind the Karmen malware on underground forums in March 2017.However, the first cases of infections with Karmen were reported as early as December 2016 by victims in Germany and the United States.”
After infecting a machine and encrypting victims` files, Karma displays the ransom note with detailed payment instructions. However, unlike other ransomware pieces, if Karma detects a sandbox or another analysis software, it automatically deletes the decryption tool.
“A notable feature of Karmen is that it automatically deletes its own decryptor if a sandbox environment or analysis software is detected on the victim’s computer.” – continues the blog post.