Malware News Karmen Ransomware: User-friendly, Sandbox-averse

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
A new ransomware variant dubbed Karmen has made an appearance on the Dark Web. Interestingly, the strain automatically deletes the decryptor if a sandbox environment or analysis software is detected on the victim’s computer.

According to Record Future, the malware is a ransomware as a service (RaaS) offering derived from Hidden Tear, an open-source ransomware project. It encrypts files on the infected machine using the strong AES-256 encryption protocol. And because it automatically deletes the decryptor if a sandbox environment or analysis software is detected on the victim’s computer, these machines won’t get their files back, even if their owners pay the ransom.

Also of interest is Karmen’s user-friendly interface, geared to those with limited technical knowledge. It offers a dashboard with a graphical overview of relevant information, including the number of clients they have, how much money they’ve earned and updates to the Karmen software (updates are free). It also allows users to change the malware’s settings using a control panel, while a “Clients” page tracks computers infected with the virus, with a separate Bitcoin wallet for each victim. The whole package goes for just $175.

Recorded future said that so far, 20 copies of Karmen malware have been sold, while only five copies remain available to potential buyers.

Read More. Karmen Ransomware: User-friendly, Sandbox-averse
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Oh man, heights of RaaS to user-intuitive SaaS the ransomware provide these days!
Karmen-RaaS- (4).png
And the only time Open Source becomes nasty.
Sure, there must be lot more of such content to discover every now and then in the dark web.
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Ah! The Script-Kiddies strike again! First off, having whatever anti-VM functionality does not change the basic encryption mechanism which is already well known. Second, who cares if the decryptor is deleted if run in a VM? For God sake, it's being run IN A VM so the actual files are unaffected anyway!!!!! Third, the purpose of coding in anti-VM or Sleep functions is to try to convince a person that a file is either a dud or innocuous. This isn't being done in this case so it really is without point.

What is cool is the Control GUI. I hope they aren't sold out!!!
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Nothing surprise, of course there is no alternative solution but to delete itself when detected in Sandbox or VM.

Yes the GUI is the only X-factor here, making it interesting to conduct ransom activities. ;)

It will take a lot of time and research if a ransomware can manage to break out fully on Sandbox/VM but that's not practical though.
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Agreed. The bad thing about an article stating that a given piece of malware is "VM Aware" is that most think that this means the malware can break out of the virtual environment when just the opposite is the case. Personally if I was a BlackHat (or more properly, a BlackSkirt) I would prefer Sleep functionality over Environmental awareness. It would be more inclusive and not as "in your face" to the lazy analyst.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top