A cheap, effective and easy-to-use ransomware service is currently being sold in the Russian-language hacking underground.
At a cost of $175, Karmen allows any buyer to encrypt infected machines using the AES-256 protocol and then trigger a ransom note demanding money, according to the security firm Recorded Future.
Unlike most other ransomware, Karmen knows how to defend itself. The malware deletes its own decryptor if analysis software or a sandbox environment is detected.
Andrei Barysevich, director of advanced collection at Recorded Future said Karmen doesn’t look to be anything “groundbreaking,” but shows that customer service is becoming more and more of a selling point when it comes to malware.
“A comeback of paid variations of malware, which was almost overtaken by the ransomware-as-a-service business model in 2016, could escalate the problem for individuals and businesses even further,” Barysevich told CyberScoop. “As novice cybercriminals are getting more opportunities to engage in ransomware attacks, it is very likely to see even more disturbing news about successful infections. ”
The tool is developed by a team includes two individuals: DevBitox, a Russian-speaking cybercriminal who sells the product, and an unknown developer in Germany, according to Recorded Future.
Karmen has been observed since December 2016 when it was developed from the open source ransomware project Hidden Tear. The scope of Karmen’s infections and sales isn’t clear, but Recorded Future researchers observed at least 20 sales by DevBitox.
Here’s DevBitox’s commercial for Karmen:
The ransomware is interesting and highly professional but, like most malware, not entirely secure. Most antivirus programs detect the malware. Bleeping Computer, a security blog, offers numerous options for victims to address being infected including Avast’s decryption tool.
Chris Bing contributed to this story.