Threat Management, Malware, Ransomware

Femme fatale: Karmen ransomware seduces novice cybercriminals with affordability, ease of use

A Russian-speaking cybercriminal was discovered last March selling a new ransomware program named "Karmen" on the dark web, although infections using this product could date back as early as December 2016 in the U.S. and Germany.

In a blog post today, Recorded Future reported learning of Karmen on March 4 while monitoring a top-tier cybercriminal forum. (The company did not divulge which one.)  After additional investigation, researchers pinpointed the seller, an individual nicknamed "DevBitox," whose prior history on the forum includes providing support services to fellow cybercriminals, including helping them execute SQL injections.

In an interview, Recorded Future's director of advanced collection Andrei Barysevich told SC Media that additional Karmen-themed communications on the forum suggest that the ransomware may have been used in the wild late last year. 

"We saw that there was chatter between... buyers who were leaving positive feedback on the malware. A couple times they claimed that they were able to successfully infect victims [dating] back to December of 2016," said Barysevich.

A Microsoft .Net-dependent program, Karmen encrypts its victims using AES-256 protocols and is derived from the open-source ransomware project "Hidden Tear," Recorded Future reported. With a listed price point of $175, the malware is relatively affordable and allows attackers to configure settings via an intuitive online interface that requires little technical knowledge.

Through Karmen's web-based “Clients” page, users can keep track of infected computers and their ransom payment status, while a dashboard page keeps attackers apprised of the number of clients they have, how much money they've earned, and any incoming software updates.

Karmen users can also customize different ransom prices for various geographical regions, Barysevich noted. And in an effort to stymie security researchers, the ransomware also has been designed to automatically delete itself if it detects a sandbox environment or analysis software.

While DevBitox claims credit for Karmen's web development and control panel design, the malware itself was apparently developed by an unknown associate in Germany, using the aforementioned Hidden Tear as a foundation. As of the writing of Recorded Future's report, 20 copies of the ransomware had already been sold, with five remaining copies still available.

According to Barysevich, the demand for simple-to-use, conventional ransomware like Karmen has risen among novice members of the underground cybercrime community who don't have a strong enough reputation to be accepted into ransomware-as-a-service campaigns, which typically vet potential partners. 

"With a very reasonable price tag, more and more novice cybercriminals would be able to purchase straightforward ransomware" like Karmen, Barysevich explained.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.