A new Ransomware-as-a-Service (RaaS) named Karmen is currently being advertised and sold online on an infamous Russian-speaking underground hacking forum.
According to threat intelligence firm Recorded Future, work on this new RaaS started late last year, when a Russian-speaking hacker named DevBitox joined forces with an unknown German partner and created Karmen.
The two divided tasks between them and the German partner created the ransomware per-se, modifying a version of the Hidden Tear ransomware, while DevBitox used his web coding skills to create the Karmen RaaS backend.
When their new service was ready, the two started advertising Karmen on several places online. Below is a translated copy of one of their adverts:
- Multi-threaded - Multi-language - Supports .NET 4.0 and newer versions - Encryption algorithm: AES-256 - Adaptive admin panel - Encrypts all discs and files - Separate BTC wallet for each victim - Small size - Automatic deletion of loader - Automatic deletion of malware (after payment was received) - Minimal connection with control server - Robust control panel - Almost FUD (1/35) - Automatic file decryption after received payment - T2W compatible - File extensions remain the same - Detection of Anti-debugger/analyzers/VM/SandBox - Automatic deletion of decryptor if sandbox environment or an analyzing software is detected on victim's computer - Light version - Obfuscation and autoloader only - Full version - Detection of analyzing software Notes: - Application .NET dependent - Support Infrastructure: PHP 5.6, MySQL, "file()" function must be activated on the server - Rebuild - Free (up to three copies) - Updates - Free Price $175
Once someone buys a membership to the Karmen RaaS, they get access to a web-based control panel hosted on the Dark Web, where they can configure a personalized version of the Karmen ransomware. Below are images of the Karmen RaaS backend.
What's peculiar about the Karmen ransomware is that once Karmen infects a computer, it encrypts the user's files and shows a popup window. This window shows an ominous message warning users not to interfere with the encryption process, otherwise, they might risk losing all their files.
In reality, the ransomware isn't as secure as its authors believe, and security researcher and long-time Bleeping Computer forum user Michael Gillespie has already found a way to help users.
Once the encryption process ends, Karmen drops a decrypter on the user's desktop. Karmen also features anti-VM and anti-sandboxing protection measures, and it will not run when it detects such environments.
Karmen authors claim their ransomware is undetectable by most of today's major AV vendors.
In reality, being a HiddenTear-based variant, Karmen is very well covered by most security firms on VirusTotal [sample].
Below is a YouTube video recorded by Karmen's author, but rehosted by Recorded Future to remove advertising links.
UPDATE: On April 20, threat intelligence firm SenseCy has spotted Mordor, a rebranded version of the Karmen RaaS.
File name: joise.exe
File name: n_karmen.exe
File name: build.exe
File MD5: 9c8fc334a1dc660609f30c077431b547
File MD5: 56b66af869248749b2f445be8f9f4a9d
File MD5: 521983cb92cc0b424e58aff11ae9380b