The Karmen Ransomware appears to be a new Ransomware-as-a-Service (RaaS) project, whose control panel was uncovered by malware researchers in the middle of March 2017. The RaaS concept has gained a lot of attention since 2016, and we’ve already seen multiple projects such as the Encryptor RaaS, the Ranion Ransomware, the Dot Ransomware and others. Usually, the authors of these projects use a brand new piece of crypto-threat or a heavily customized version of older ransomware. However, the crook behind the Karmen Ransomware has opted to use a much simpler piece of crypto-threat that cyber security experts are well familiar with – the HiddenTear project. The good news is that if the Karmen Ransomware keeps using the HiddenTear’s encryption as the foundation of its attacks, then it is certain that the victims of the Karmen Ransomware will be able to recover their files without paying the ransom sum.
The New Karmen RaaS Relies on a Flawed File Encryption Project
The RaaS website that ‘clients’ can use to get their personalized Karmen Ransomware binary is still not being promoted actively, but it appears that the author has set up a fairly simple and easy-to-use administration area that will allow anyone to use the Karmen Ransomware and extort victims for money. The Karmen Ransomware appears to use a hard-coded extension to mark the encrypted files by adding ‘.grt’ after their original file extensions (e.g. ‘database.sql’ will be renamed to ‘database.sql.grt’). The ransom message is delivered with a pop-up window titled ‘Karmen Decrypter,’ which provides users with information on how to decrypt their files. The peculiar thing is that the Karmen Ransomware features both an English and German translation of the message, which says:
All files are encrypted! Please follow the mind. In order to get the key to decrypt send this amount to our wallet Bitcoin.
Decrypt files automatically.
Interference with the program – can leave you without files.’
The sample of the Karmen Ransomware that was first spotted online does not ask for any money, and the specified ransom fee is 0 BTC. Also, the BitCoin wallet address where the payments should be sent appears to be empty, but this may change when both clients and the author start to distribute weaponized versions of the Karmen Ransomware. Because the Karmen Ransomware may be available to all cyber crooks across the globe, there’s no way to list all the threat distribution channels that they may use. However, users who have an anti-virus protection and follow some of the most important safe browsing tips are way more likely to stay away from the Karmen Ransomware’s corrupted files and prevent this threat from encrypting their files. The unlucky users who end up running the Karmen Ransomware on their computers may be scared by the fact that many of their documents, databases, images and other data have been rendered inaccessible. The good news is that the Karmen Ransomware’s encryption module is borrowed from HiddenTear, and the help of a free HiddenTear decryptor should be enough to get all files back to normal.