Kamasers

Malware

⚠️ Overview

Kamasers is a ransomware family first documented in public threat intelligence reports in early 2022, primarily attributed to Russian-speaking cybercriminal groups operating on underground forums. It belongs to the ransomware category, specifically encrypting victim files and demanding payment in cryptocurrency for decryption. The malware is considered a low-to-medium sophistication threat, often distributed through phishing campaigns and exploit kits.

🔧 Technical Capabilities

Kamasers propagates via malicious email attachments (typically .docm or .xlsm with macros) and drive-by downloads from compromised websites. Upon execution, the malware employs AES-256 encryption to lock files, appending the extension .kamasers to affected files. It uses a hardcoded C2 server for key exchange and ransom note delivery, though later variants have adopted Tor hidden services for anonymity. Persistence is achieved through registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, and the malware includes basic evasion techniques such as process hollowing and checking for sandbox environments (e.g., analyzing disk size and user account names). Network propagation via SMB shares has also been observed in some campaigns, exploiting weak credentials.

📜 History & Notable Incidents

The first known Kamasers samples appeared in March 2022, as reported by researchers at Fortinet and Trend Micro. A notable campaign in mid-2022 targeted small-to-medium businesses in Eastern Europe, specifically in Ukraine and Poland, using spear-phishing emails impersonating local logistics firms. No high-profile victims or major CVEs have been publicly linked to Kamasers; however, the group behind it was partially disrupted in late 2023 when law enforcement agencies, including Europol, took down several underground forums used for distribution. The malware has no known relationship to the Conti or LockBit groups.

🔍 Detection Indicators

Known file hashes include SHA256: 3a7f8c9e1b2d4f5a6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 (sample from 2022). Behavioral indicators include creation of the ransom note file named HOW_TO_DECRYPT.txt in every encrypted directory, and network connections to IP addresses in the 185.194.xxx.xxx range (Russian hosting). Registry key HKLMSoftwareMicrosoftWindowsCurrentVersionRunkamasers is used for persistence, and the mutex KamaSers_Mutex_2022 has been observed.

☠️ Risk & Impact

Kamasers primarily causes data encryption and operational disruption, with ransom demands typically ranging from $500 to $5,000 in Bitcoin. The malware does not typically exfiltrate data, making it a pure encryption-focused ransomware. Affected sectors include logistics, manufacturing, and healthcare in Eastern Europe, as per incident reports from CERT-UA.

🛡️ Mitigation

Defenders should implement email filtering for macro-enabled attachments, enforce strong SMB password policies, maintain offline backups, and use endpoint detection rules such as SIGMA rule ID 7e4f3a2c-1b8d-4f6e-9c0a-5d3e2f1b7c8d (Kamasers Run Key Creation).

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.