Two developers have been reported to be behind the Ransomware as a Service (RaaS) scheme, advertising Karmen ransomware – a Russian-speaking and a German hacker. These hackers have been reported to create a ransomware known as Karmen. The virus has been based on the Hidden Tear open source ransomware project and one of the devs was responsible to make the ransomware and while the other hacker created the other part of the development. The ransomware may already be in the wild, so if you have been infected by it, recommendations are to read the following material.
|Short Description||Encrypts important documents and other files on computers it infects. Asks for a ransom to be paid.|
|Symptoms||The victim may see a ransom note in the form of pop-up, called Karmen. In the pop-up are instructions on how to pay 175$ in BitCoin|
|Detection Tool|| See If Your System Has Been Affected by Karmen |
Malware Removal Tool
|User Experience||Join our forum to Discuss Karmen.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Karmen Ransomware – Infection Process
The distribution of the virus may be conducted via multiple different methods, the primary of which may be malicious e-mail attachments or distribution URLs that cause the infection.
These may be sent out in the form of legitimate-appearing messages that aim to convince inexperienced users that they are invoices or other important documents which should be opened. Upon opening, the user may become infected and the ransomware may drop multiple executable files on the computer, named:
Karmen Virus – Infection Activity
Karmen ransomware is advertised to perform the following malicious actions on the computers compromised by it:
- Encrypt files with the AES-256 encryption algorithm.
- Able to encrypt discs and files.
- Creates a separate BTC wallet for each of the victims.
- Deletes it’s loader file.
- Deletes the malware after the victim pays the ransom.
- Keeps active connection with the command and control server.
- Performs obfuscation techniques to avoid detection.
- Keeps the file extensions of the encrypted files the same.
- Performs a scan if it is ran on a Virtual Drive.
The command and control center and the dashboard of the ransomware is very user friendly:
The ransom note which the virus drops after infection is actually a pop-up named Karmen and has the following content:
All files are encrypted!
Please follow the mind. In order to get the key to decrypt send this amount to
our wallet Bitcoin.
Decrypt files automatically.
Interference with the program – can leave you without files.
Fortunately as it is based on the Hidden Tear ransomware project, the Karmen ransomware is decryptable. For the decryption instructions and how to remove it, keep reading this article.
Karmen Ransomware Variant – Decoding Instructions
The file-decryption process of HiddenTear ransomware is not as difficult, but you need to be prepared and do it from a safe computer that is powerful. Let’s begin!
Step 1: Download the HiddenTear BruteForcer by clicking on the button below and open the archive:
Step 2: Extract the program onto your Desktop or wherever you feel comfortable to easily access it and open it as an administrator:
Step 3: After opening it, you should see the main interface of the brute force. From there, choose “Browser Sample” to select a sample encrypted file of the type of ransomware you are trying to decrypt:
Step 4: After this select the type of ransomware from the down-left expanding menu:
Step 5: Click on the Start Bruteforce button. This may take some time. After the brute forcing is finished and the key is found, copy it and save it somewhere on your PC in a .txt file, you will need it later.
Step 6: Download the HiddenTear Decryptor from the download button below:
Step 7: Extract it and open it, the same way with HiddenTear Bruteforcer. From it’s primary interface, paste the key copied from the BruteForcer, write the type of extension being used by the ransomware and click on the Decrypt button as shown below:
After these steps have been completed, you should immediately copy your files to an external device so that they are safe. After this has been done, we strongly recommend completely wiping your drives and reinstalling Windows on the affected machine.
HiddenTear Decryption – Conclusion
Viruses like the Karmen ransomware variant are becoming more and more common. Researchers, publish many projects online with the goal to stop ransomware and for educational purposes, but this represents an opportunity to coders that develop ransomware and either start infecting users with it or put it up for sale in the deep web. With the expanding of ransomware variants lately, we predict seeing even more infected systems in 2017 than the year 2016. This is why we advise you to follow our recommendations for securing your computer below:
Advice 1: Make sure to read our general protection tips and try to make them your habit and educated others to do so as well.
Advice 2: Install an advanced anti-malware program that has an often updated real-time shield definitions and ransomware protection.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Advice 3: Seek out and download specific anti-ransomware software which is reliable.
Advice 4: Backup your files using one of the methods in this article.
Advice 5: : Make sure to use a secure web browser while surfing the world wide web.