If posts on a popular cybercriminal forum are to be believed, the new ransomware Karmen may have infected users in the U.S. and Germany as far back as December 2016.
If posts on a popular cybercriminal forum are to be believed, the new ransomware Karmen may have infected users in the U.S. and Germany as far back as December 2016.

A Russian-speaking cybercriminal was discovered last March selling a new ransomware program named "Karmen" on the dark web, although infections using this product could date back as early as December 2016 in the U.S. and Germany.

In a blog post today, Recorded Future reported learning of Karmen on March 4 while monitoring a top-tier cybercriminal forum. (The company did not divulge which one.)  After additional investigation, researchers pinpointed the seller, an individual nicknamed "DevBitox," whose prior history on the forum includes providing support services to fellow cybercriminals, including helping them execute SQL injections.

In an interview, Recorded Future's director of advanced collection Andrei Barysevich told SC Media that additional Karmen-themed communications on the forum suggest that the ransomware may have been used in the wild late last year. 

"We saw that there was chatter between... buyers who were leaving positive feedback on the malware. A couple times they claimed that they were able to successfully infect victims [dating] back to December of 2016," said Barysevich.

A Microsoft .Net-dependent program, Karmen encrypts its victims using AES-256 protocols and is derived from the open-source ransomware project "Hidden Tear," Recorded Future reported. With a listed price point of $175, the malware is relatively affordable and allows attackers to configure settings via an intuitive online interface that requires little technical knowledge.

Through Karmen's web-based “Clients” page, users can keep track of infected computers and their ransom payment status, while a dashboard page keeps attackers apprised of the number of clients they have, how much money they've earned, and any incoming software updates.

Karmen users can also customize different ransom prices for various geographical regions, Barysevich noted. And in an effort to stymie security researchers, the ransomware also has been designed to automatically delete itself if it detects a sandbox environment or analysis software.

While DevBitox claims credit for Karmen's web development and control panel design, the malware itself was apparently developed by an unknown associate in Germany, using the aforementioned Hidden Tear as a foundation. As of the writing of Recorded Future's report, 20 copies of the ransomware had already been sold, with five remaining copies still available.

According to Barysevich, the demand for simple-to-use, conventional ransomware like Karmen has risen among novice members of the underground cybercrime community who don't have a strong enough reputation to be accepted into ransomware-as-a-service campaigns, which typically vet potential partners. 

"With a very reasonable price tag, more and more novice cybercriminals would be able to purchase straightforward ransomware" like Karmen, Barysevich explained.