A new kind of highly-customized ransomware recently discovered by security researchers allows individual criminals to deliver "ransomware-as-a-service".
What sets this ransomware apart from other kinds of file-locking software is that criminals who buy this specialized malware, dubbed Karmen, can remotely control the ransomware from their web browser, allowing the attacker to see at-a-glance a centralized web dashboard of their entire ransomware campaign.
That dashboard allows the attacker to manage their fleet of infected victims' computers, such as by tracking how much money they've made. If this figure falls short, the attacker can then bump the price of the ransom they seek.
In other words, it's a "starter pack" for low-level criminals to engage in ransomware campaigns, said Andrei Barysevich, director of advanced collection at Recorded Future, who co-authored the report.
"For $175, any script kiddie can carry out ransomware attacks," he said on the phone.
The researchers at Recorded Future, the threat intelligence provider who discovered the malware and have a commercial stake in the space, say that Karmen has been adapted from the abandoned open-source ransomware dubbed Hidden Tear. Besides the fact that it's open source and anyone can use it, the malware itself is unremarkable. It does what it promises: it locks up the victim's files and disks with tough AES-128 encryption, and demands bitcoin as a ransom.
But Karmen adds a modern twist to the abandoned ransomware.
The researchers say that the sole seller of the ransomware, a Russian hacker and developer named "DevBitox" who is motivated by financial gain, created the web-based back-end that makes it easier for attackers to make money.
Each buyer has to set up their own web-based infrastructure, which includes a PHP server running a MySQL database, allowing the attacker to remotely control each infection, like the price of the ransom and the password for each decryption.
DevBitox has also reportedly adapted the open-source malware to include a built-in defense mechanism that detects if the ransomware is run inside a virtual machine, or whether debuggers and analyzing software are found on the system. This then triggers an automatic deletion of the decryptor -- essentially nuking any chance of getting any locked files back.
The seller has probably made a few thousand dollars from what was essentially free ransomware, but he's able to make more, said Barysevich.
"The seller offers some limited support, including up to three file cleanings," he said. Barysevich explained that the buyers will receive the full software package, including the web-based dashboard and the malware used for delivering the ransomware, a tiny 12-kilobyte file that can be attached as an email.
But the hacker will also provide "support" for his product. Because those payload-packed files will periodically get detected by antivirus engines and rejected, each buyer gets three bangs for their buck -- the hacker will rebuild the malicious file to obfuscate it better, and send it along to evade the antivirus engines.
For wider attack campaigns, the individual attacker will need to buy more from the seller.
That little bit of money adds on to that "as-a-service," said Barysevich.
So far, only a handful of buyers -- just 20 at the time of writing -- have bought Karmen, according to the researchers, and while three of those have left positive reviews on the seller's profile, their identities aren't known.
Ransomware-as-a-service lowers the barrier for criminals to enter the space, and it's only getting more popular.
Earlier this year, the Satan malware allowed low-skilled criminals to carry out ransomware attacks by using someone else's code -- and in return, the developer would take on subscription payments. Ransomware developers can easily scrape 30 percent return on all revenues generated by cyberattacks.