Karmen Ransomware

Posted: March 16, 2017
Threat Metric
Threat Level: 10/10
Infected PCs 148

Karmen Ransomware Description

The Karmen Ransomware is an estimated member of the Hidden Tear family of Trojans, a project made for demonstrating the attack capabilities of file-encrypting threats originally. Since the Karmen Ransomware includes functional file-enciphering attacks, a full recovery of any content it locks may be difficult without using backups not affected by the original infection. Most PC users should protect themselves by using anti-malware tools for deleting the Karmen Ransomware before its installation can happen.

Trojans with Ransoms that Know No National Boundaries

Although it's not absolute, threat authors often prefer to laser-target their attacks against specific nationalities or particular organizations, such as a business. Contrariwise, some threat actors implement cross-national features in their products occasionally, such as the latest suspected byproduct of Hidden Tear. The newly-confirmed Trojan, the Karmen Ransomware, increases its chances of collecting any ransom money by delivering messages in different languages that the victim can select.

The Karmen Ransomware may enumerate both network-shared drives and local ones in its scans for files to encrypt, a feature that shows no symptoms while it occurs. It uses an encryption algorithm such as the AES-128 to lock any files, excluding the ones required by Windows, and uploads the key for decoding them to a Command & Control server. The '.grt' extension that the Karmen Ransomware adds to the end of each filename allows the victim to detect the affected content without opening each one individually.

Lastly, the Karmen Ransomware generates a pop-up ransoming message that malware researchers have deemed unique to this campaign, for now. The window displays options for its ransoming message delivery in German or English, along with Bitcoin-based fields for the payment quantity and the con artist's address. Because these people don't always honor these 'agreements' for purchasing a decryptor, malware experts advise not paying any ransom from the Karmen Ransomware, which a variety of potentially unreliable threat actors can administrate.

A PC Security Problem for Hire to Any Interested Party

The Karmen Ransomware is a part of the Ransomware-as-a-Service or RaaS model of business within the threat black market, which means that other threat actors can pay fees (either upfront or as a percentage of the ransom money) to operate this Trojan. This method of business makes the Karmen Ransomware's infection vectors as variable theoretically as the types of con artists who pay to use it. Attacks of a similar nature often exploit weak passwords, poorly-managed RDP settings, and e-mail spam for installing file-encrypting Trojans like the Karmen Ransomware.

The files that Hidden Tear-based Trojans block sometimes can be decryptable, although a free decryption solution never is an absolute. PC users without any backups available should contact an appropriate cyber security specialist for help with any possible data recovery. Malware experts also still encourage keeping backups in locations such as USB drives and cloud networks that are much less at risk of being damaged.

Removing the Karmen Ransomware and Trojans like it only can be a sure promise of defense from data loss when you do it by preventative means. Those who use computers in their daily lives without taking any steps for protecting them still are sources of profit to con artists who don't need to know programming to aim threats like weapons.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Karmen Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

Registry Modifications


The following newly produced Registry Values are:

Registry keySoftware\Microsoft\Windows\CurrentVersion\Run\DecryptFilesSoftware\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DecryptFiles
Home Malware Programs Ransomware Karmen Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.