Threat Intelligence vendor Recorded Future has given details of a limited edition ransomware for sale. 25 copies of the ransomware, called Karmen, have been offered for sale. The price? $175. So far, 20 copies have been sold with 5 remaining for anyone looking for a quick start into ransomware.
The ransomware has been derived from an open source ransomware project called Hidden Tear. That project first surfaced in 2015 and a number of variants were quickly created. However, as the source code was available to researchers and criminals, it was easily defused.
What is interesting and very disturbing is that despite its roots, most security software does not pick up Karmen. An image provided by Recorded Future shows just 1 out of 35 AV tools detecting one of the key files, Joise.exe. When we searched the databases of several leading AV tools there were no references to Karmen or Joise.
Profitable from the first infection
Karmen is profitable from the first infection. The average ransomware payment at present is .5 Bitcoin. With 1 Bitcoin currently worth US$1,220 purchasers are looking at a profit even if they only infect a single machine. This makes this a very attractive option for anyone just starting out in ransomware. However, it also raises the question of why it didn’t sell out immediately.
Recorded Future has published a link to a YouTube presentation of how Karmen works. It shows the dashboard which allows the cybercriminal to control and track the effectiveness of Karmen. It has been made as simple as possible. Among the controls are the price to decrypt an infected machine in both Bitcoin and Satoshi. It also shows how many clients they have infected, who has paid, what they’ve earned and the current price of a Bitcoin.
All of this makes it the most user friendly ransomware created.
Mess with the ransomware at your own risk
Karmen is no pushover if you are infected. The screen message an infected user gets shows that it can be displayed in German or English. It also warns the user that: “Interference with the program – can leave you without files.” This is no idle threat.
An increasing number of users are beginning to run their browser inside a sandbox for security reasons. Security researchers do the same and they keep analysis software on their machines. If either of these conditions are discovered by Karmen it deletes the decryptor.
The barriers to entry for wannabe cybercriminals continue to get lower. Karmen sets a new low for ransomware and short of an AI driven ransomware, it’s hard to see how it gets any easier. The fact that only 25 copies have been offered for sale at a price well below the current decryption price is strange. More worrying than strange is the fact that almost all the major AV vendors have no visibility of this at all. For something built on an open source ransomware project this is very surprising.