April 21, 2017
Aspiring cybercriminals no longer have to flex their technical muscles to pull one over on victims. According to Forbes, ransomware-as-a-service (RaaS) “brings cybercrime to the people.” So it’s no wonder that this emerging market is quickly becoming a serious threat to corporations and consumers alike.
Would-be fraudsters simply purchase all-in-one ransom tools and start infecting devices. Payments are demanded in bitcoin to reduce the risk of capture. Even if these low-level attackers don’t succeed, malware-makers have already been paid, in turn driving them to create more threats-as-a-service.
Now a new strain of RaaS, Karmen, is making the rounds, providing entry-level cybercriminals the equivalent of a fast food malware: simple, cheap and not that great, but good enough to get the job done.
A Good Deal for Ransomware Rookies
As noted by CSO Online, the new Karmen ransomware kit is priced at just $175. That’s a one-time fee for everything aspiring attackers need to start infecting machines and demanding big payouts. Russian developer DevBitox has been shopping the malware around underground forums, highlighting its easy-to-use interface, which keeps track of infected machines, provides a running total of payouts and lets users modify the code as desired.
So far, DevBitox has sold 20 copies of the new RaaS, with the first infections occurring in December 2016 across the U.S and Germany. For hopeful fraudsters, this is a great deal. The price is low, the feature set is better than average and the seller offers limited support by providing three free rebuilds of malicious files detected by antivirus programs.
As noted by ZDNet, Karmen is effectively a “starter pack” for low-level larcenists to try their hands at cybercrime without putting in too much effort or assuming too much risk.
Flimsy Code Makes for a Low Threat
Thankfully, Karmen’s threat level isn’t exactly red alert. The malware is based on abandoned open source ransomware Hidden Tear, which was originally designed as a proof of concept, posted on Github and then used by actual malware-makers as the foundation of new code. It’s an unremarkable piece of software that provides exactly what it advertises: AES-128 encryption and the ability to demand bitcoin ransoms.
Sure, DevBitox upped the ante with web browser remote controls and the ability to individually manage ransom demands, but with Hidden Tear at its core, the malware isn’t exactly a looming threat. Researcher Michael Gillespie developed a decryption key generator for Hidden Tear-based infections and created a site to evaluate what type of ransomware ails users, CSO Online reported. Other sites such as No More Ransom! also offer free tools to help combat open source attacks.
Karmen isn’t great code, but it’s a great money-making idea for DevBitox, which likely invested little effort into modifying Hidden Tear and then making a quick buck. More than the limited threat offered here, it’s a warning sign to companies and consumers.
Just like legitimate as-a-service tools have become the easiest route to perform complex functions or empower collaboration, so are RaaS tools supplanting more sophisticated malware. Why wait for victims to pay the check when fast food ransomware asks the easy question: “Files with that?”