back to article Profit with just one infection! Crook sells ransomware for $175

Cybercrooks have begun retailing a new easy-to-use ransomware strain that promises profit with only one successful infection. Karmen is being sold on Dark Web forums from Russian-speaking cyber-criminal DevBitox for $175. The new ransomware-as-a-service variant offers a graphical dashboard, allowing purchasers to keep a …

  1. m0rt

    "Keeping up-to-date backups would obviate the need to cave into such demands, and remains the best strategy for safeguarding against ransomware infection."

    Jim Sensenbrenner offers an alternate safeguarding method.

    1. Paul Crawford Silver badge

      Backups also help for other problems like: hardware failure, lost/stolen machine, user deleting something and wanting it back days later, having a moment of "gross administrative misconduct" at the root prompt, etc...

      1. Anonymous Coward
        Anonymous Coward

        Of course, if the malware gets sneaky and goes after the backups first, and they need to be online at some point in order to receive the backups...

        1. Paul Crawford Silver badge

          Yes, but a proper backup system comes in to your PC, so you don't have any access rights (normally) on the backup system. After all, if your admin rights are compromised on the PC in the first place to run the nastier sorts, then it can go after backups as well.

          Of course, without any backup there is nothing stopping your account from permanently trashing your own files, which is one of the key reasons ransomware works - you don't need a sneaky zero-day privilege escalation, simply the ability to trick the user in to executing something by ANY means.

          Setting user-writeable areas to no-execute may be a useful step...

          1. Peter2 Silver badge

            Of course, if the malware gets sneaky and goes after the backups first, and they need to be online at some point in order to receive the backups...

            Ah, well done. You've just mentally constructed the argument against online only backups and lack of seperation.

            This be why many of us simply kept using those horribly unfashionable and uncool tape drives that the company had already paid for, and simply continued to feed it tapes every day. As a result, many of us have several weeks worth of full backups with archived tapes dating back literially years stored offline and offsite so we just sort of look bemusedly at people who have these problems.

            1. Charles 9

              But many types can't keep archives that long and eventually have to cycle. That's when it gets you.

            2. DaLo

              "...we just sort of look bemusedly at people who have these problems"

              Others realise that they need greater RPO/RTO than tapes can deliver, need more flexibility, capacity, less manual intervention for a lower cost and want to be able to mount backups as VMs anywhere near instantly and get better than a simple verify check to ensure that their backups are consistent and databases mountable.

              It is those people who look bemusedly at people who use tapes as a daily backup and not as an archiving tool and use a well configured, redundant and secure disk based backup system.

  2. Evil Auditor Silver badge

    Backups

    Recently at a client. I ask how they organised backups. "We have a perfect solution! Our data is backed up immediately: it's mirrored to our second data centre location. So we even have it stored off-site."

    Muhahahahah I think while sending them a certain attachment And I provide advice to those very receptive client's ears on the risks and how to do backups properly.

    1. Paul Crawford Silver badge
      Thumb Up

      Re: Backups

      RAID (or replication) != Backup

      Exactly, it deals with service continuity in the event of hardware failures, etc. Not against deliberate trashing (though regular snapshots on replicated storage goes a big way towards it).

  3. Mike Moyle

    "Karmen automatically deletes the decryptor if a sandbox environment or analysis software is detected on the victim's computer..."

    So, what sort of analysis software? Is it bespoke and proprietary to the security vendors or is it likely to be included in the average AV software?

    Because, if the latter, it sounds like keeping it running in the background provides an added insurance policy against infection (along with backups, of course).

    1. Charles 9

      They're talking physical honeypots: bait computers set up to catch malware in order to analyze it. Karmen's obviously designed to be honeypot-resistant, probably by performing something a honeypot MUST catch or there's a risk of the honeypot itself being subverted. If it's trapped, the malware knows there's a honeypot. VMs are another way to do honeypots which is why VM detectors are now standard fare (and unfortunately, extremely difficult to fool thanks to physical limitations that can be detected by things like external timing attacks).

      1. Paul Crawford Silver badge

        Which is another good reason to run Windows in a VM!

        That and not having to re-license it if the motherboard dies, etc.

        And the ability (in some cases) to snapshot the VM before doing anything potentially damaging.

        1. Charles 9

          But many of us can't run Windows in a VM because we run apps with high RAM demands (leaving little for the host) or heavy 3D work which doesn't virtualize well.

  4. Number6

    So what we need is a file system that doesn't delete files, it just creates a new version. Just like DEC used to do with VMS. That way you'd find all your files have been encrypted but the malware wouldn't be able to remove the pre-encryption files which could then be restored once the malware was purged.

    Anyone know if there's a mature Linux file system that does this?

    1. Paul Crawford Silver badge

      Depends on how 'mature'.

      Btrfs supports snapshots and is supposed to be production ready now. ZFS works well but you have the licensing issues (if you care) and again you get copy-on-write snapshots so they take little space for most (i.e. non-changing) files.

      So try one of those and set up a cron job for snapshots. FreeNAS offers that in the GUI as it uses ZFS, but you have to make sure you tell it to do the whole file system tree - so check it is actually snapshoting what you expected!

  5. Anonymous Coward
    Anonymous Coward

    Oh FFS

    Would it kill anyone to put some actual details of the crypto/ransomware in the article?

    Platform? I'm guessing Windows

    Attack vector? Office document macros, drive-by vulnerability, trojan, malvertising? What?

    Such details are important to people whose job it is to keep systems working. An online search mainly gives you a long list of advertisers who are cross posting info to score higher on sites like Duck Duck Go (as opposed to paying Google for being first in the search list) but no actual data on attack vectors in use.

    All I found so far is "The malware is .NET dependent and requires PHP 5.6 and MySQL." - which seems to suggest that having MS code on a Linux platform is not one of the best ideas ever, but that isn't news either.

    I have no idea what possessed the original researcher Utku Sen to put the working basics for this online ("hidden tear"), but IMHO he deserves to get sued into the ground for the consequences.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like