Karmen Ransomware-as-a-service Poses a Legitimate Threat

Ransomware-as-a-service has quickly become quite a popular business model among internet criminals residing on the deep web. Karmen, a new type of ransomware-as-a-service, is currently being advertised on multiple hacking forums. It appears this new malware distribution effort is based out of Russia, as the people marketing this tool are only doing so on Russian-speaking hacking forums.

More Ransomware Threats Are Never Good

The Karmen ransomware-as-a-service advertisement is quite the intriguing concept, although that does not mean this threat is limited to just Russia by any means. Just because criminals are focusing their attention on underground hacking forums in that language, should never be seen as an indication of where the next ransomware attack may occur. For all we know, Karmen could be distributed in the US or Asia first, and never even make an appearance in Russia.

As one would come to expect, this particular RaaS model is based on previously released open source ransomware code. Hidden Tear is one of the many malware types which had its code made open source over the past few months. Karmen is clearly based on this type of ransomware, although a few minor modifications have been made by the developers. That was to be expected, as a one-on-one clone of an existing ransomware building toolkit would have no intrinsic value whatsoever.

It appears the people actively advertising Karmen are trying to make their solution stand out from the competition. Karmen provides full disk and file encryption, as well as an individual bitcoin wallet address for every victim infected with this malware. The software uses minimal communication with the command-and-control server, it also deletes the ransomware automatically once the payment has been received. Interestingly enough, it does not appear to change file extensions, which is rather unusual.

To start using this ransomware-as-a service product, parties must purchase a membership first. Once they made the payment, criminals are given access to an online control panel, residing on the deep web, where they can configure the malware to their liking. It doesn’t appear there are other payment options besides bitcoin, even though Monero and Ethereum are slowly becoming more popular on the darknet as well. Then again, the developers may add this functionality at a later date.

Thankfully, one security researcher managed to find a few loopholes in Karmen’s security that allow victims to decrypt files without making a payment. A decryptor is installed on the infected machine once the encryption process is completed. It appears this tool is part of the decryption process provided by researcher Michael Gillespie. Considering how he cracked a Hidden Tear decryptor some time ago, it is not surprising to learn he found a new flaw in a project based on that source code.

It is evident criminals will continue to distribute significant amounts of ransomware and other malware over the coming years. Victims who do not use or update antivirus solutions will ultimately be faced with these threats. While Karmen is not as powerful as its developers want to make people believe, it should not be ignored either. Ransomware is a very real problem, and dealing with an infection can be cumbersome for less tech-savvy computer users.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.