Diana Granger and Andrei Barysevich from Recorded Future have said that on 4 March 2017, they observed a member of the underground forum “Exploit” named “Dereck1” mention a new ransomware variant called “Karmen.”
Karmen malware is “ransomware as a service” (RaaS) derived from “Hidden Tear,” an open source ransomware project, available for purchase by anyone.
As is typical for ransomware infections, Karmen encrypts files on the infected machine using the strong AES-256 encryption protocol, making them inaccessible to the user and may trigger a ransom note or instructions demanding that the user pay a large sum of money to obtain the decryption key from the attacker.
A notable feature of Karmen is that it automatically deletes the decryptor if a sandbox environment or analysis software is detected on the victim's computer.
When a user's computer is infected with Karmen, they get a message warning them not to interfere with the malware.
The Karmen interface allows users to change the malware's settings using a control panel that requires minimal technical knowledge. The “Clients” page tracks computers infected with the virus.
The dashboard gives the user an overview of relevant information including the number of clients they have, how much money they've earned and updates to the Karmen software.
Further investigation revealed that “DevBitox,” a Russian-speaking cyber-criminal, was the seller behind the Karmen malware on underground forums in March 2017. However, the first cases of infections with Karmen were reported as early as December of 2016 by victims in Germany and the United States.
The duo from Recorded Future wrote: “the seller has admitted he was only involved with web development and control panel design; the malware is utilising the open source encryption project 'Hidden Tear' and was created by an unknown associate operating out of Germany.”