April 20, 2017
A new type of ransomware-as-a-service has appeared on the dark web with unique features and an inexpensive price to attract malicious actors.
Security researchers discovered a new type of ransomware-as-a-service being sold on the dark web with a number of unique features.
Researchers for threat intelligence company Recorded Future of Somerville, Mass., first became aware of the Karmen ransomware in March but saw infections using the ransomware-as-a-service as early as December in the U.S. and Germany. The ransomware is known to have sold about 20 copies so far.
"The Karmen malware derived from 'Hidden Tear,' an open source ransomware project, available for purchase by anyone," Diana Granger, technical threat analyst for Recorded Future, wrote in a blog post. "As is typical for ransomware infections, Karmen encrypts files on the infected machine using the strong AES-256 encryption protocol, making them inaccessible to the user and may trigger a ransom note or instructions demanding that the user pay a large sum of money to obtain the decryption key from the attacker."
Granger also noted Karmen includes a unique feature where "it automatically deletes its own decryptor if a sandbox environment or analysis software is detected on the victim's computer."
Andrei Barysevich, director of advanced collection at Recorded Future and author of the Karmen report, told SearchSecurity this functionality is "not very common."
"This type of ransomware that deletes its own decryptor if a sandbox is detected is not prevalent," Barysevich said. "We've seen this previously, but most ransomware currently available does not have this feature built in."
Travis Smith, senior security research engineer at Tripwire, said this would be a good way to avoid security researchers.
"When you look at something like ransomware, it will be targeted towards end-user environments, which are running on physical hardware. Detecting a virtual environment is a quick and easy way to try and hide from security researchers," Smith told SearchSecurity. "A step beyond that is looking for the presence of tools which security researchers are using to inspect the malware, such as IDA or WinDbg, which are not on a typical end-user system."
Mounir Hahad, senior director of Cyphort Labs at Cyphort, said it is not uncommon for malware to delete itself when an analysis environment is detected, but Karmen is different.
"For a ransomware to delete the decryption module only, that's pretty unique. It's also hardly needed: the decryption code without the decryption key is useless," Hahad told SearchSecurity.
Recorded Future noted in the blog post the Karmen ransomware-as-a-service was designed to be accessible to all potential cybercriminals. "Configuration of Karmen through this interface allows actors to change the malware's settings using a control panel that requires very minimal technical knowledge."
Experts were also impressed with the options available. Hahad said Karmen was unique in "providing a different level of potency by offering no sandbox armoring at one level of service and some sandbox detection at another level of service."
Paul Calatayud, CTO at FireMon, said the multi-language support was "unique and becoming more popular given that this type of malware needs to be able to communicate with the end-user in order to extract a ransom."
Charles Gaughf, security lead for (ISC)², said the most impressive feature of Karmen is "how it has been commoditized and is being sold as ransomware-as-a-service."
"With Karmen, there is a low barrier of entry and very little technical knowledge is needed to it setup and start infecting," Gaughf told SearchSecurity. "Criminals who have purchased such software get very nice features such as dashboards, infection metrics, the current price of bitcoin, payload customizations, as well as how many people have actually paid the ransom."
Jim Walter, senior SPEAR researcher at Cylance, said the features of Karmen weren't all that unique and the offering simply "combines the features that we have all become accustomed to in ransomware-as-a-service offerings along with the usual functionality of Hidden Tear-based derivatives."
"The real danger is the low barrier of entry. With this or any other ransomware-as-a-service, anyone can generate and mutate their own ransomware with zero programing/coding knowledge or experience," Walter told SearchSecurity via email. "It's ducks-and-bunnies simple to churn out your own ransomware and at least attempt to profit."
Barysevich said "ransomware-as-a-service has been the prevailing business model for ransomware in the past year, and there are no signs of this slowing. It's quite unusual for cybercriminals to build ransomware themselves, then sell it and then not participate in profit sharing schemes."
Smith said ransomware-as-a-service gaining momentum makes financial sense for many malicious actors.
"By being a seller of malware, rather than a deployer, the criminal can reduce their risk profile tremendously. Not only this, but the monetization comes earlier in the malware lifecycle," Smith said. "These two aspects are drawing more malware authors to offer their wares as a service rather than going through the act of infecting victims."