Data Breach Today ® reported on April 19th that a Russian hacker has put together a low-end ransomware kit, called Karmen, that costs only $175. So if you're not a boy genius (or girl genius) and can't program but want to get into the lucrative ransomware business, it is very affordable to do so. Threat intelligence vendor Recorded Future was the source of the information about Karmen.
You may recall that the FBI has called ransomware a billion dollar a year business. Who wouldn't want a piece of that action?
Though the FBI and other law enforcement agencies counsel ransomware victims not to pay, if they haven't properly engineered their backups to recover the data, many say they have no choice but to pay. Payments (usually in bitcoin) used to be in the $300-$500 range but we are seeing much larger demands these days. Some entities are even stockpiling bitcoins so they can pay the cybercriminals quickly. Some entities make a business decision that the cost of paying the ransom is cheaper than being out of business for some period of time while data is recovered.
Ransomware as a service has been around for a while, but Karmen sure is cheap.
Some other ransomware as a service kits can be used for free, but kit users have to pay a share of profits to the developers. There must be something which tells the developers when the software is used and what the ransom was set at and when/if it was paid. Trust among criminals is pretty rare . . . though the article suggests that trust is how these systems operate. Hmmm, maybe, but I wouldn't count out programming that rats out people who don't pay up.
Karmen was first noted in March as a new gateway for would-be members of the very profitable ransomware industry. It strikes me that $175 is long way from getting a share of the profits – and how long until someone figures out how to detect/defeat Karmen?
Karmen differs from its predecessor, the open source Hidden Tear, which was developed for research purposes (you can see how well that went) and then abandoned. There is a free decrypter for Hidden Tear at the No More Ransom! website. There does not appear to be a decrypter for Karmen.
The developer of Karmen, who calls himself DevBitox, added a dashboard to manage ransomware campaigns, among other features. For example, DevBitox claims on an underground forum that the malware can automatically delete itself after a victim pays the ransom. Karmen also comes in two versions, a light and full version, the latter of which can also detect debuggers, virtual machines and sandboxes.
DevBitox has allegedly sold 20 copies of Karmen and is offering only five more before capping sales. At $175 each, that's a lousy return. I'm perplexed by the developer's motivation frankly, though I understand that selling malware that remains undetectable to security products requires almost daily modifications, through a process called obfuscation or "cleaning." If DevBitox acquires too many customers, perhaps defeating Karmen would become more of a goal – and if defeated, it would hurt the developer's reputation in the underground. I don't pretend to understand the strategies of these cybercriminals, some of whom seem content to make minimal returns on their labors.
The article talks about the need to serve and provide maintenance on the copies sold – I can't believe there will be a lot of that going on, but again, this is not the world in which I live. How much work would the developer do to protect his reputation in his netherworld?
At the moment, we have no reliable information about how Karmen spreads or how many victims it has ensnared. DevBitox's advertisement claims Karmen is FUD, meaning fully undetectable, which is the term applied to malware that can get past any security software or other anti-malware defenses. This is pretty much the standard claim. Whether it is true is impossible (currently) to verify.
One thing I do know for sure is that the number of victims we've consulted with who have contracted ransomware is rising. A formerly niggling disease has turned into a very expensive epidemic.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology