News

New Karmen Ransomware-as-a-Service Advertised on Hacking Forums

April 19,2017

A new Ransomware-as-a-Service (RaaS) named Karmen is currently being advertised and sold online on an infamous Russian-speaking underground hacking forum.

First spotted by MalwareHunter in mid-March, the Karmen RaaS is based on the Hidden Tear open-source ransomware building toolkit, which has suffered minor modifications.

Two devs behind Karmen RaaS

According to threat intelligence firm Recorded Future, work on this new RaaS started late last year, when a Russian-speaking hacker named DevBitox joined forces with an unknown German partner and created Karmen.

The two divided tasks between them and the German partner created the ransomware per-se, modifying a version of the Hidden Tear ransomware, while DevBitox used his web coding skills to create the Karmen RaaS backend.

When their new service was ready, the two started advertising Karmen on several places online. Below is a translated copy of one of their adverts:
sample1Once someone buys a membership to the Karmen RaaS, they get access to a web-based control panel hosted on the Dark Web, where they can configure a personalized version of the Karmen ransomware. Below are images of the Karmen RaaS backend.
sample2What's peculiar about the Karmen ransomware is that once Karmen infects a computer, it encrypts the user's files and shows a popup window. This window shows an ominous message warning users not to interfere with the encryption process, otherwise, they might risk losing all their files.

Karmen RaaS 1                                                           Karmen ransomware warning message [Source: Recorded Future]

In reality, the ransomware isn't as secure as its authors believe, and security researcher and long-time Bleeping Computer forum user Michael Gillespie has already found a way to help users.
sample3Furthermore, Victims can also check out Michael's older Hidden Tear decrypter, or try out Avast's similar tool.

Once the encryption process ends, Karmen drops a decrypter on the user's desktop. Karmen also features anti-VM and anti-sandboxing protection measures, and it will not run when it detects such environments.

Karmen authors claim their ransomware is undetectable by most of today's major AV vendors.

Karmen RaaS 5

In reality, being a HiddenTear-based variant, Karmen is very well covered by most security firms on VirusTotal [sample].

Below is a YouTube video recorded by Karmen's author, but rehosted by Recorded Future to remove advertising links.
sample4

IOCs:

File name: joise.exe

File name: n_karmen.exe

File name: build.exe

File MD5: 9c8fc334a1dc660609f30c077431b547

File MD5: 56b66af869248749b2f445be8f9f4a9d

File MD5: 521983cb92cc0b424e58aff11ae9380b

SHA1: dc875c083c5f70e74dc47373a4ce0df6ccd8ae88

SHA1: f79f6d4dd6058f58b384390f0932f1e4f4d0fecf

SHA1: 2a3477ea2d09c855591b3d16cfff8733935db50b

News Courtesy : https://www.bleepingcomputer.com/news/security/new-karmen-ransomware-as-a-service-advertised-on-hacking-forums/