Michael Heller / Source: SearchSecurity
Security researchers discovered a new type of ransomware-as-a-service being sold on the dark web with a number of unique features.
Researchers for threat intelligence company Recorded Future of Somerville, Mass., first became aware of the Karmen ransomware in March but saw infections using the ransomware-as-a-service as early as December in the U.S. and Germany. The ransomware is known to have sold about 20 copies so far.
“The Karmen malware derived from ‘Hidden Tear,’ an open source ransomware project, available for purchase by anyone,” Diana Granger, technical threat analyst for Recorded Future, wrote in a blog post. “As is typical for ransomware infections, Karmen encrypts files on the infected machine using the strong AES-256 encryption protocol, making them inaccessible to the user and may trigger a ransom note or instructions demanding that the user pay a large sum of money to obtain the decryption key from the attacker.”
Granger also noted Karmen includes a unique feature where “it automatically deletes its own decryptor if a sandbox environment or analysis software is detected on the victim’s computer.”
Andrei Barysevich, director of advanced collection at Recorded Future and author of the Karmen report, told SearchSecurity this functionality is “not very common.”
“This type of ransomware that deletes its own decryptor if a sandbox is detected is not prevalent,” Barysevich said. “We’ve seen this previously, but most ransomware currently available does not have this feature built in.”
Travis Smith, senior security research engineer at Tripwire, said this would be a good way to avoid security researchers.
“When you look at something like ransomware, it will be targeted towards end-user environments, which are running on physical hardware. Detecting a virtual environment is a quick and easy way to try and hide from security researchers,” Smith told SearchSecurity. “A step beyond that is looking for the presence of tools which security researchers are using to inspect the malware, such as IDA or WinDbg, which are not…
Click here to read more