Karmen Virus – Decrypt Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Karmen Virus – Decrypt Encrypted Files

This article aims to show you how to remove Karmen ransomware from your computer and restore encrypted files.

Two developers have been reported to be behind the Ransomware as a Service (RaaS) scheme, advertising Karmen ransomware – a Russian-speaking and a German hacker. These hackers have been reported to create a ransomware known as Karmen. The virus has been based on the Hidden Tear open source ransomware project and one of the devs was responsible to make the ransomware and while the other hacker created the other part of the development. The ransomware may already be in the wild, so if you have been infected by it, recommendations are to read the following material.

Threat Summary

Name

Karmen

TypeRansomware
Short DescriptionEncrypts important documents and other files on computers it infects. Asks for a ransom to be paid.
SymptomsThe victim may see a ransom note in the form of pop-up, called Karmen. In the pop-up are instructions on how to pay 175$ in BitCoin
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Karmen

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Karmen.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Karmen Ransomware – Infection Process

The distribution of the virus may be conducted via multiple different methods, the primary of which may be malicious e-mail attachments or distribution URLs that cause the infection.

These may be sent out in the form of legitimate-appearing messages that aim to convince inexperienced users that they are invoices or other important documents which should be opened. Upon opening, the user may become infected and the ransomware may drop multiple executable files on the computer, named:

  • joise.exe
  • N_karmen.exe
  • Build.exe

Karmen Virus – Infection Activity

Karmen ransomware is advertised to perform the following malicious actions on the computers compromised by it:

  • Encrypt files with the AES-256 encryption algorithm.
  • Able to encrypt discs and files.
  • Creates a separate BTC wallet for each of the victims.
  • Deletes it’s loader file.
  • Deletes the malware after the victim pays the ransom.
  • Keeps active connection with the command and control server.
  • Performs obfuscation techniques to avoid detection.
  • Keeps the file extensions of the encrypted files the same.
  • Performs a scan if it is ran on a Virtual Drive.

The command and control center and the dashboard of the ransomware is very user friendly:

The ransom note which the virus drops after infection is actually a pop-up named Karmen and has the following content:

File Encrypted!
All files are encrypted!
Please follow the mind. In order to get the key to decrypt send this amount to
our wallet Bitcoin.
Decrypt files automatically.
Interference with the program – can leave you without files.

Fortunately as it is based on the Hidden Tear ransomware project, the Karmen ransomware is decryptable. For the decryption instructions and how to remove it, keep reading this article.

Karmen Ransomware Variant – Decoding Instructions

The file-decryption process of HiddenTear ransomware is not as difficult, but you need to be prepared and do it from a safe computer that is powerful. Let’s begin!

Step 1: Download the HiddenTear BruteForcer by clicking on the button below and open the archive:

Download

HiddenTear Bruteforcer


1-hidden-tear-bruteforcer-download-sensorstechforum

Step 2: Extract the program onto your Desktop or wherever you feel comfortable to easily access it and open it as an administrator:

2-hidden-tear-bruteforcer-extract-sensorstechforum

Step 3: After opening it, you should see the main interface of the brute force. From there, choose “Browser Sample” to select a sample encrypted file of the type of ransomware you are trying to decrypt:

3-Hiddentear-sensorstechforum-bruteforcer-main-panel

Step 4: After this select the type of ransomware from the down-left expanding menu:

4-hidden-tear-choose-ransowmare-variant-sensorstechforum

Step 5: Click on the Start Bruteforce button. This may take some time. After the brute forcing is finished and the key is found, copy it and save it somewhere on your PC in a .txt file, you will need it later.

Step 6: Download the HiddenTear Decryptor from the download button below:

Download

HiddenTear Decrypter

Step 7: Extract it and open it, the same way with HiddenTear Bruteforcer. From it’s primary interface, paste the key copied from the BruteForcer, write the type of extension being used by the ransomware and click on the Decrypt button as shown below:

5-hiddentear-decrypter-password-decrypt-sensorstechforum

After these steps have been completed, you should immediately copy your files to an external device so that they are safe. After this has been done, we strongly recommend completely wiping your drives and reinstalling Windows on the affected machine.

HiddenTear Decryption – Conclusion

Viruses like the Karmen ransomware variant are becoming more and more common. Researchers, publish many projects online with the goal to stop ransomware and for educational purposes, but this represents an opportunity to coders that develop ransomware and either start infecting users with it or put it up for sale in the deep web. With the expanding of ransomware variants lately, we predict seeing even more infected systems in 2017 than the year 2016. This is why we advise you to follow our recommendations for securing your computer below:

Advice 1: Make sure to read our general protection tips and try to make them your habit and educated others to do so as well.
Advice 2: Install an advanced anti-malware program that has an often updated real-time shield definitions and ransomware protection.

Download

Malware Removal Tool


Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Advice 3: Seek out and download specific anti-ransomware software which is reliable.

Advice 4: Backup your files using one of the methods in this article.

Advice 5: : Make sure to use a secure web browser while surfing the world wide web.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.