A new Ransomware-as-a-Service (RaaS) named Karmen is currently being advertised and sold online on an infamous Russian-speaking underground hacking forum.
First spotted by MalwareHunter in mid-March, the Karmen RaaS is based on the Hidden Tear open-source ransomware building toolkit, which has suffered minor modifications.
Two devs behind Karmen RaaS
According to threat intelligence firm Recorded Future, work on this new RaaS started late last year, when a Russian-speaking hacker named DevBitox joined forces with an unknown German partner and created Karmen.
The two divided tasks between them and the German partner created the ransomware per-se, modifying a version of the Hidden Tear ransomware, while DevBitox used his web coding skills to create the Karmen RaaS backend.
When their new service was ready, the two started advertising Karmen on several places online. Below is a translated copy of one of their adverts:
Once someone buys a membership to the Karmen RaaS, they get access to a web-based control panel hosted on the Dark Web, where they can configure a personalized version of the Karmen ransomware. Below are images of the Karmen RaaS backend.
What's peculiar about the Karmen ransomware is that once Karmen infects a computer, it encrypts the user's files and shows a popup window. This window shows an ominous message warning users not to interfere with the encryption process, otherwise, they might risk losing all their files.
Karmen ransomware warning message [Source: Recorded Future]
In reality, the ransomware isn't as secure as its authors believe, and security researcher and long-time Bleeping Computer forum user Michael Gillespie has already found a way to help users.
Furthermore, Victims can also check out Michael's older Hidden Tear decrypter, or try out Avast's similar tool.
Once the encryption process ends, Karmen drops a decrypter on the user's desktop. Karmen also features anti-VM and anti-sandboxing protection measures, and it will not run when it detects such environments.
Karmen authors claim their ransomware is undetectable by most of today's major AV vendors.
In reality, being a HiddenTear-based variant, Karmen is very well covered by most security firms on VirusTotal [sample].
Below is a YouTube video recorded by Karmen's author, but rehosted by Recorded Future to remove advertising links.
File name: joise.exe
File name: n_karmen.exe
File name: build.exe
File MD5: 9c8fc334a1dc660609f30c077431b547
File MD5: 56b66af869248749b2f445be8f9f4a9d
File MD5: 521983cb92cc0b424e58aff11ae9380b