Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

You Too Can Get Into the Ransomware Business – For Just $175!

April 25, 2017

Data Breach Today ® reported on April 19th that a Russian hacker has put together a low-end ransomware kit, called Karmen, that costs only $175. So if you're not a boy genius (or girl genius) and can't program but want to get into the lucrative ransomware business, it is very affordable to do so. Threat intelligence vendor Recorded Future was the source of the information about Karmen.

You may recall that the FBI has called ransomware a billion dollar a year business. Who wouldn't want a piece of that action?

Though the FBI and other law enforcement agencies counsel ransomware victims not to pay, if they haven't properly engineered their backups to recover the data, many say they have no choice but to pay. Payments (usually in bitcoin) used to be in the $300-$500 range but we are seeing much larger demands these days. Some entities are even stockpiling bitcoins so they can pay the cybercriminals quickly. Some entities make a business decision that the cost of paying the ransom is cheaper than being out of business for some period of time while data is recovered.

Ransomware as a service has been around for a while, but Karmen sure is cheap.

Some other ransomware as a service kits can be used for free, but kit users have to pay a share of profits to the developers. There must be something which tells the developers when the software is used and what the ransom was set at and when/if it was paid. Trust among criminals is pretty rare . . . though the article suggests that trust is how these systems operate. Hmmm, maybe, but I wouldn't count out programming that rats out people who don't pay up.

Karmen was first noted in March as a new gateway for would-be members of the very profitable ransomware industry. It strikes me that $175 is long way from getting a share of the profits – and how long until someone figures out how to detect/defeat Karmen?

Karmen differs from its predecessor, the open source Hidden Tear, which was developed for research purposes (you can see how well that went) and then abandoned. There is a free decrypter for Hidden Tear at the No More Ransom! website. There does not appear to be a decrypter for Karmen.

The developer of Karmen, who calls himself DevBitox, added a dashboard to manage ransomware campaigns, among other features. For example, DevBitox claims on an underground forum that the malware can automatically delete itself after a victim pays the ransom. Karmen also comes in two versions, a light and full version, the latter of which can also detect debuggers, virtual machines and sandboxes.

DevBitox has allegedly sold 20 copies of Karmen and is offering only five more before capping sales. At $175 each, that's a lousy return. I'm perplexed by the developer's motivation frankly, though I understand that selling malware that remains undetectable to security products requires almost daily modifications, through a process called obfuscation or "cleaning." If DevBitox acquires too many customers, perhaps defeating Karmen would become more of a goal – and if defeated, it would hurt the developer's reputation in the underground. I don't pretend to understand the strategies of these cybercriminals, some of whom seem content to make minimal returns on their labors.

The article talks about the need to serve and provide maintenance on the copies sold – I can't believe there will be a lot of that going on, but again, this is not the world in which I live. How much work would the developer do to protect his reputation in his netherworld?

At the moment, we have no reliable information about how Karmen spreads or how many victims it has ensnared. DevBitox's advertisement claims Karmen is FUD, meaning fully undetectable, which is the term applied to malware that can get past any security software or other anti-malware defenses. This is pretty much the standard claim. Whether it is true is impossible (currently) to verify.

One thing I do know for sure is that the number of victims we've consulted with who have contracted ransomware is rising. A formerly niggling disease has turned into a very expensive epidemic.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

You Too Can Get Into the Ransomware Business – For Just $175!

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer