It’s Cheap, It’s Easy, It’s Dangerous: Karmen Ransomware Hits the Criminal Black Market

April 24, 2017 • Amanda McKeon

Over the last two years, ransomware has become the hottest commodity in the criminal black market. And we do mean commodity — it’s getting cheaper and more accessible to crooks, even the unskilled ones.

On March 4 of this year, a leading cyber criminal, who goes by the name “Dereck1,” mentioned that there was a new ransomware variant out called “Karmen.” But Dereck1 wasn’t the one hawking this in the criminal market. Instead, it’s a Russian speaker who goes by the name of “DevBitox.”

The first infections seem to go back to December of 2016, with victims in Germany and the United States reporting infection. DevBitox is no cryptographic ace — by his own admission, he was involved only with web development and control panel design, the criminal customer’s user experience. But Karmen is interesting not only because it’s dangerous, but because it’s cheap, and because it affords some insight into the way criminal markets function. Joining us to talk about Karmen is Andrei Barysevich, Director of Advanced Collection at Recorded Future.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us. I’m Dave Bittner from the CyberWire, and this is episode three of the Recorded Future podcast.

Ransomware has over the last two years become the hottest commodity in the criminal black market. And we do mean commodity. It’s getting cheaper and more accessible to crooks, even the unskilled ones. On March 4 of this year, a leading cybercriminal who goes by the name “Dereck1,” mentioned that there was a new ransomware variant out called Karmen. But, Dereck1 wasn’t the one hawking this in the criminal market. Instead, it’s a Russian speaker who goes by the name of “DevBitox.” The first infection seems to go back to December of 2016, with victims in Germany and the United States.

DevBitox is no cryptographic ace, by his own admission, he was only involved with the web development and control panel design; the criminal customer’s user experience.

But Karmen is interesting not only because it’s dangerous, but because it’s cheap. And because it affords some insight into the way criminal markets function. It sells for only $175 a copy, and copies are limited to 25.

We’ve got a lot of questions about Karmen, and joining us to answer them is Andrei Barysevich, Director of Advanced Collection at Recorded Future.

Andrei Barysevich:

Karmen is a fairly sophisticated and yet very affordable type of ransomware based on an open source project called Hidden Tear. Karmen ransomware was offered and still offered to Russian-speaking cybercriminals on a top-tier underground forum.

Dave Bittner:

So, take me through how does Karmen work.

Andrei Barysevich:

It works exactly the same as any other ransomware. If you are unfortunate to get your system infected; let’s say someone sends you a malicious file. It could be an Excel file, Microsoft Word, PDF file, you click on that file, and if your system is vulnerable, it will immediately be infected with Karmen. All your files will be encrypted with a fairly strong 256 byte key, and essentially you won’t be able to access any of your documents, any of your files, pictures. And the only way for you to get your files back would be to actually pay ransom to a cybercriminal that infected your system.

Dave Bittner:

And so is this a situation where if you pay the ransom, you’re likely to get your files back?

Andrei Barysevich:

Yes, I would say yes because … And it’s a very good question because a couple of years ago, criminals didn’t even bother decrypting your files. So, you would pay them the ransom, but they would never decrypt your files, and it was generally accepted that even if you make the payment you won’t see your files back.

However, criminals quite early recognized that people started to pay less and less money, less often, and they had to fix the bad reputation they created for themselves. So, as of right now, yeah, most likely you will get your files back. The only reason why the decryptor might not work, if there was a flaw in the malware itself — however, criminals always watch for bugs like that and they do everything they can to fix them as soon as possible.

Dave Bittner:

So Karmen has some interesting behaviors where, sort of what it will do if it sees certain conditions on your computer.

Andrei Barysevich:

That’s correct. So, criminals also know that security researchers will attempt to get a sample of malware, and the most common approach of researching and investigating the malware is to run it on a secure environment such as Sandbox or a virtual machine.

The Karmen malware will actually recognize that there is an attempt of launching the file on the safe machine, on the safe environment, and it will immediately trigger the self-destruction of a decoder from your computer. So, essentially it’s a protection from security researchers.

Dave Bittner:

How does Karmen compare to the other ransomware malware that’s out there?

Andrei Barysevich:

Well, almost every ransomware is pretty much the same. The concept is very similar, the process is very similar. The most common difference will be in the control panel, which allows criminals to designate the price for a particular geographical region, the extensions of files that will be encrypted because in some cases, not every file could be encrypted on your computer or will be encrypted. But say, criminals might choose to only encrypt Excel files or pictures. All of that is viewable and manageable through a control panel, and fairly simple variance of ransomware either don’t have any control panels, or they will have a very rudimentary panel.

In the case of Karmen, the control panel is fairly robust, and this is why criminals actually … Who’s behind this malware is charging the money, because he built a fairly robust and very flexible control panel. So, it’s, I would say it’s not super advanced ransomware all in all, especially if we compare it to much more powerful Spora ransomware, which allows you to have a built-in chat where you can actually send messages to your victims, and reply to them. But yet, it’s still above the low-level ransomware which we can see sometimes being sold for $30.

Dave Bittner:

What is the selling price of Karmen?

Andrei Barysevich:

As of right now, price is $175. However, the criminal behind Karmen is actually building the third version of Karmen, and he announced that the price of the next version will be $300.

Dave Bittner:

And what’s the justification for the price increase?

Andrei Barysevich:

I would say demand; that would be the first one. And then, they also have to understand that there’s ongoing maintenance costs involved. So, they see sometimes when they price a product like that, they underestimate how much time it’s going to take them to support and develop even further the product going forward, so it’s very likely that down the road, that the cost of the malware will be increased and this is what happens in Karmen ransomware.

Dave Bittner:

What level of sophistication would I need to have to be able to use Karmen? If I decided suddenly that I wanted to take on a life of crime and start locking up people’s computers, and Karmen was the way I wanted to do it, how sophisticated would I have to be?

Andrei Barysevich:

So, again, it all depends on how many people you’d like to infect. For example if you were at the company, and you don’t like your boss, and you really, really don’t like him, and you decide to infect the company’s network, it will be exceptionally simple for you to infect the whole network with Karmen ransomware.

For example, if you decide to infect thousands of people, random people, that would require you to launch a more massive spam campaign, and for that you can actually find different vendors underground that will help you to start the malware campaign. So, some vendors even can guarantee the number of installations they will provide for you. So essentially … I can’t remember exactly how much they charge at the moment, but I would say anywhere between 50 cents to $1 per installation. So, let’s say you’d like to infect 1,000 computers, you just pay someone underground $1,000, and they can guarantee that they will infect up to 1,000 computers; random computers.

So in this case, you don’t have to have any knowledge in how to operate Karmen ransomware. All you have to do is set up the control panel, give the payload to a spammer, and they will send out tons of emails to potential victims on your behalf.

Dave Bittner:

So, Karmen is derived from the Hidden Tear open source ransomware project; is there a decryptor available for Hidden Tear?

Andrei Barysevich:

Yes, in the beginning when Hidden Tear was built, there was a flaw in the algorithm which will allow a fairly painless decryption of all files. However, in the case of Karmen, the developer stated that that feature has been ― or that vulnerability ― has been patched.

So, from what we know as of right now, there’s no decryptor available to decrypt files infected by Karmen. But there is a decryptor for Hidden Tear project.

Dave Bittner:

It’s interesting to me that the author of Karmen limited the number of installations that they were selling. Is this a typical behavior when people are selling these kinds of wares?

Andrei Barysevich:

I would say yes. The reason is fairly simple; as I previously mentioned, the job is not done after a ransomware or any malware is sold. The developer must maintain the project going forward, and with more people. If he sells it to many people, then it will be much harder for him to maintain a quality level of the support going forward. So, they always try to find the balance between the number of copies they sell, and the quality of service they’ll be able to provide going forward. ‘Cause rarely do we see teams of hackers working on the same project — it’s usually one or two or three guys, one of them might be a developer, and the other one might be a graphic designer, and the last one might be customer support. So, obviously, if you sell it to a few hundred people, it’s impossible to provide quality and timely service to all these people. And eventually, complaints will start piling up, and credibility will start falling down on all ― falling on criminal forums, and eventually they’ll get banned.

So, that explains the reason why they choose to limit the number of copies available to potential buyers.

Dave Bittner:

It’s interesting that even among bad guys, reputation is important.

Andrei Barysevich:

Oh, definitely reputation is everything. Because like in any business, you have to… especially in the criminal business, the three things which are very important to them to succeed in this career, you have to have a reputation and it takes a very long time to build it. Then you have to have a network of people; you have to know people, and people have to trust you. And you have to have a startup capital. So, it takes a very long time to build all these three crucial pillars for them, to really progress in criminal underground. But it’s very easy for them to be destroyed. As soon as unhappy customers start to complain, it’s very easy to lose that credibility.

But, I’d like to point out that although it seems like a fairly cheap and affordable product, $175 is obviously not $1,000, and if we multiply it even by 20 copies, it’s only $3,500.

We’ve heard people asking us, “does it even make sense for them to sell it for that cheap?” I mean it’s only $3,500 all in all. But that’s not all; we have to remember that to infect systems on daily basis, they have to make sure, customers, they have to make sure that the payload, the file that will be sent to potential victims have to be obfuscated from antivirus detection. It has to be done daily.

On average, the cost of obfuscation of the file is anywhere between $10 to $20. So if you have 20 customers, and each of them is paying you $10 every day to obfuscate payload, criminal will be making roughly $200 at least. If he charges let’s say $20, now it’s at $400. Now, if you multiply it by 30 days, we can easily see that he’ll be making anywhere between $6,000 to $12,000 on support of this project alone.

Dave Bittner:

I see, so you buy the product, you buy Karmen, but then there are ongoing support prices as you go?

Andrei Barysevich:

Exactly.

Dave Bittner:

How often do these people get arrested-

Andrei Barysevich:

(laughs)

Dave Bittner:

How often do they get caught?

Andrei Barysevich:

Okay, so if we look at the general number of people involved in cybercrime, and the number of people that’ve been arrested in recent years, it seems very small. However, we have to understand that law enforcement always must prioritize and there’s no way for them … they can’t go and build a case and go after every single cybercriminal, they have to pick the most notorious, the most effective criminals, and they do get arrested. We know that today, Roman Seleznev, who is considered one of the baddest credit card thieves in the world will be sentenced in the United States. He’s facing all the way up to 30 years in jail. So we know that really big hackers, and really big cybercriminals, very often get arrested. It just takes a long time for law enforcement to track them down.

Dave Bittner:

So the person behind Karmen, would they be considered a small-time operation?

Andrei Barysevich:

I would say that not at the moment. He’s probably already … (laughs) He’s not a small fish anymore, because right now, his product attacks probably thousands of people every day. This is where law enforcement will deem him to be a highly important target.

Dave Bittner:

My thanks to Andrei Barysevich for joining us today.

Before we let you go, don’t forget to sign up for the Recorded Future Cyber Daily email, where everyday you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

You can also find more intelligence analysis at recordedfuture.com/blog.

We hope you’ve enjoyed this show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette, the show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.