Karmen has been identified a Ransomware-as-a-Service (RaaS) platform that is being advertised and sold for $175 on a Russian-language hacking forum. This RaaS is based on the Hidden Tear ransomware building software. Once customers purchase a membership to use Karmen to run a campaign, they can access its control panel through a website hosted on the Dark Web and customize various features such as the ransom price and contact email address, as well as monitor and maintain a list of victims, payments, and Bitcoin wallets. Karmen encrypts files using AES-256 and boasts the ability to detect analysis software, VMs, and sandbox environments. It also deletes its own loader and executable file after payment is received and deletes its decryption tool if a sandbox is detected on the infected system. RaaS variants such as Karmen provide a low barrier to entry by eliminating the need for technical knowledge in order to launch a ransomware campaign.

UPDATE 4/20/2017: A rebranded version of Karmen, named Mordor, is being sold on a Russian-language hacking forum.

UPDATE 8/5/2017: A new version, dubbed 3301 Ransomware, appends .3301 to the names of encrypted files.

  • Recorded Future provides more information about Karmen RaaS here.
  • Victims can contact security researcher Michael Gillespie via his Twitter page for a decryption tool or try using his free Hidden Tear decryption tool located here.