A new Ransomware-as-a-Service (RaaS) named Karmen is currently being advertised and sold online on an infamous Russian-speaking underground hacking forum.

First spotted by MalwareHunter in mid-March, the Karmen RaaS is based on the Hidden Tear open-source ransomware building toolkit, which has suffered minor modifications.

Two devs behind Karmen RaaS

According to threat intelligence firm Recorded Future, work on this new RaaS started late last year, when a Russian-speaking hacker named DevBitox joined forces with an unknown German partner and created Karmen.

The two divided tasks between them and the German partner created the ransomware per-se, modifying a version of the Hidden Tear ransomware, while DevBitox used his web coding skills to create the Karmen RaaS backend.

When their new service was ready, the two started advertising Karmen on several places online. Below is a translated copy of one of their adverts:

- Multi-threaded
- Multi-language
- Supports .NET 4.0 and newer versions
- Encryption algorithm: AES-256
- Adaptive admin panel
- Encrypts all discs and files
- Separate BTC wallet for each victim
- Small size
- Automatic deletion of loader
- Automatic deletion of malware (after payment was received)
- Minimal connection with control server
- Robust control panel
- Almost FUD (1/35)
- Automatic file decryption after received payment  
- T2W compatible
- File extensions remain the same
- Detection of Anti-debugger/analyzers/VM/SandBox
- Automatic deletion of decryptor if sandbox environment or an analyzing software is detected on victim's computer
- Light version - Obfuscation and autoloader only
- Full version - Detection of analyzing software

- Application .NET dependent
- Support Infrastructure: PHP 5.6, MySQL, "file()" function must be activated on the server
- Rebuild - Free (up to three copies)
- Updates - Free

Price $175

Once someone buys a membership to the Karmen RaaS, they get access to a web-based control panel hosted on the Dark Web, where they can configure a personalized version of the Karmen ransomware. Below are images of the Karmen RaaS backend.

Karmen RaaS backend


Karmen RaaS backend


Karmen RaaS backend


What's peculiar about the Karmen ransomware is that once Karmen infects a computer, it encrypts the user's files and shows a popup window. This window shows an ominous message warning users not to interfere with the encryption process, otherwise, they might risk losing all their files.

Karmen ransomware warning message
Karmen ransomware warning message [Source: Recorded Future]

In reality, the ransomware isn't as secure as its authors believe, and security researcher and long-time Bleeping Computer forum user Michael Gillespie has already found a way to help users.

Furthermore, Victims can also check out Michael's older Hidden Tear decrypter, or try out Avast's similar tool.

Once the encryption process ends, Karmen drops a decrypter on the user's desktop. Karmen also features anti-VM and anti-sandboxing protection measures, and it will not run when it detects such environments.

Karmen authors claim their ransomware is undetectable by most of today's major AV vendors.

PoisonScanner results

In reality, being a HiddenTear-based variant, Karmen is very well covered by most security firms on VirusTotal [sample].

Below is a YouTube video recorded by Karmen's author, but rehosted by Recorded Future to remove advertising links.

UPDATE: On April 20, threat intelligence firm SenseCy has spotted Mordor, a rebranded version of the Karmen RaaS.


File name: joise.exe

File name: n_karmen.exe

File name: build.exe

File MD5: 9c8fc334a1dc660609f30c077431b547

File MD5: 56b66af869248749b2f445be8f9f4a9d

File MD5: 521983cb92cc0b424e58aff11ae9380b

SHA1: dc875c083c5f70e74dc47373a4ce0df6ccd8ae88

SHA1: f79f6d4dd6058f58b384390f0932f1e4f4d0fecf

SHA1: 2a3477ea2d09c855591b3d16cfff8733935db50b