Fending off Analysis, Ransomware will Cut Decryptor

Tuesday, April 18, 2017 @ 06:04 PM gHale

A variant of Hidden Tear ransomware is for sale on underground forums as a Ransomware-as-a-Service (RaaS), for as low as $175 and will delete its decryptor if a sandbox ends up detected, researchers said.

Called Karmen, the malware has been around since December 2016, when incidents cropped up in Germany and the United States. The threat, however, started its advertising campaign on underground forums in March.

New Ransomware Business Model
More Ransomware Decryption Tools Available
Ransomware Avoids Machine Learning
Ransomware Stars in Blank Slate Attack

After reviewing the malware, researchers at Recorded Future found it comes from the Hidden Tear open source ransomware. They also found out Karmen was using the AES-256 encryption protocol for the encryption of targeted files on the local machine.

Just like most ransomware, the threat displays a ransom note with instructions for the victim to pay a specific sum of money to obtain the decryption key. Unlike other similar threats, however, the malware automatically deletes the decryptor when detecting a sandbox environment or analysis software.

Those purchasing the ransomware have the option to change various settings courtesy of a control panel that doesn’t require advanced technical knowledge to operate. They can also track infected systems via a “Clients” page. A Dashboard offers information such as the number of infected machines, earned revenue, and available updates for the malware.

Karmen is a multi-threaded, multi-language piece of ransomware that supports .NET 4.0 and newer versions and features an adaptive admin panel, researchers said. The malware can encrypt all discs and files, automatically deletes the loader, and features sandbox, debugger, and virtualization detection. Karmen can delete itself after a victim pays the ransom, but also deletes the decryptor if it detects it is undergoing any kind of analysis.

The threat ends up sold in two versions. One includes obfuscation and autoloader, while the other also employs the anti-analysis detection capabilities.

Leave a Reply

You must be logged in to post a comment.