Security researchers discovered a new type of ransomware as a service being sold on the dark web with a number...
of unique features.
Researchers for threat intelligence company Recorded Future Inc., of Somerville, Mass., first became aware of the Karmen ransomware in March, but saw infections using the ransomware as a service as early as December in the U.S. and Germany. The ransomware is known to have sold about 20 copies so far at $175 each.
"The Karmen malware derived from 'Hidden Tear,' an open source ransomware project, available for purchase by anyone," Diana Granger, technical threat analyst for Recorded Future, wrote in a blog post. "As is typical for ransomware infections, Karmen encrypts files on the infected machine using the strong AES-256 encryption protocol, making them inaccessible to the user and may trigger a ransom note or instructions demanding that the user pay a large sum of money to obtain the decryption key from the attacker."
Granger also noted Karmen includes a unique feature where "it automatically deletes its own decryptor if a sandbox environment or analysis software is detected on the victim's computer."
Andrei Barysevich, director of advanced collection at Recorded Future and author of the Karmen report, told SearchSecurity this functionality is "not very common."
"This type of ransomware that deletes its own decryptor if a sandbox is detected is not prevalent," Barysevich said. "We've seen this previously, but most ransomware currently available does not have this feature built in."
Travis Smith, senior security research engineer at Tripwire Inc., based in Portland, Ore., said this would be a good way for ransomware as a service to avoid security researchers.
"When you look at something like ransomware, it will be targeted toward end-user environments, which are running on physical hardware. Detecting a virtual environment is a quick and easy way to try and hide from security researchers," Smith told SearchSecurity. "A step beyond that is looking for the presence of tools which security researchers are using to inspect the malware, such as IDA or WinDbg, which are not on a typical end-user system."
Mounir Hahad, senior director of Cyphort Labs at Cyphort, based in Santa Clara, Calif., said it is not uncommon for malware to delete itself when an analysis environment is detected, but Karmen is different.
"For a ransomware to delete the decryption module only, that's pretty unique. It's also hardly needed: The decryption code without the decryption key is useless," Hahad told SearchSecurity.
Recorded Future noted in the blog post the Karmen ransomware as a service was designed to be accessible to all potential cybercriminals. "Configuration of Karmen through this interface allows actors to change the malware's settings using a control panel that requires very minimal technical knowledge."
Experts were also impressed with the options available. Hahad said Karmen was unique in "providing a different level of potency by offering no sandbox armoring at one level of service and some sandbox detection at another level of service."
Paul Calatayud, CTO at FireMon, based in Overland Park, Kan., said the multilanguage support was "unique and becoming more popular, given that this type of malware needs to be able to communicate with the end user in order to extract a ransom."
Charles Gaughf, security lead for (ISC)², based in Clearwater, Fla., said the most impressive feature of Karmen is "how it has been commoditized and is being sold as ransomware as a service."
"With Karmen, there is a low barrier of entry and very little technical knowledge is needed to set up and start infecting," Gaughf told SearchSecurity. "Criminals who have purchased such software get very nice features, such as dashboards, infection metrics, the current price of bitcoin, payload customizations, as well as how many people have actually paid the ransom."
Ransomware as a service
Jim Walter, senior SPEAR researcher at Cylance Inc., based in Irvine, Calif., said the features of Karmen weren't all that unique, and the offering simply "combines the features that we have all become accustomed to in ransomware-as-a-service offerings, along with the usual functionality of Hidden Tear-based derivatives."
"The real danger is the low barrier of entry. With this or any other ransomware as a service, anyone can generate and mutate their own ransomware with zero programing [and] coding knowledge or experience," Walter told SearchSecurity via email. "It's ducks-and-bunnies simple to churn out your own ransomware and at least attempt to profit."
Barysevich said, "Ransomware as a service has been the prevailing business model for ransomware in the past year, and there are no signs of this slowing. It's quite unusual for cybercriminals to build ransomware themselves, then sell it and then not participate in profit-sharing schemes."
Smith said ransomware as a service gaining momentum makes financial sense for many malicious actors.
"By being a seller of malware, rather than a deployer, the criminal can reduce their risk profile tremendously. Not only this, but the monetization comes earlier in the malware lifecycle," Smith said. "These two aspects are drawing more malware authors to offer their wares as a service, rather than going through the act of infecting victims."
Learn how enterprises can mitigate ransomware as a service.
Find out how ransomware attacks are targeting cloud services.
Get info on the pros and cons of reporting ransomware attacks to the FBI.