While performing our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across a ransomware group known as KARMA, which encrypts files on the victim’s machine and appends the extension of encrypted files to .KARMA. Subsequently, the Threat Actors (TAs) demand that the victims pay ransom for the private key to recover their data.
Based on analysis by Cyble Research Labs, we have observed that the executable payload is a console-based application.
Figure 1 shows the execution flow of the Karma ransomware. After execution, the malware takes inputs from the user and checks all A-Z drives, excludes folders and files from encryption. After this, the ransomware proceeds to drop the ransom note and replaces the original content with encrypted content. It then appends the extension as .KARMA.

Technical Analysis
Our static analysis found that the malware is a console-based x86 architecture executable written in C/C++, as shown in Figure 2.

After encrypting the files, the ransomware payload drops the ransom note named KARMA-ENCRYPTED.txt in various places in the victim’s machine, as shown in Figure 3.

In the above ransom note, the TAs have given email support IDs ” JamesHoopkins1988@onionmail[.]org“, Leslydown1988@tutanota[.]com“, “
ollivergreen1977@protonmail[.]com“. The victims are asked to reach out to the attackers and pay the ransom amount in Bitcoin (BTC) to get the private decryption key.
After execution, the malware encrypts the files and appends the extension of encrypted files as .KARMA and drops ransom note as shown in Figure 4.

Upon execution, a Mutex with the name KARMA is created to ensure that only one instance of this ransomware is running at a time, as shown in Figure 5.

The malware payload uses the crypt32.dll library, a module used to implement certificate and cryptographic messaging functions in the CryptoAPI, as shown below.

As shown in Figure 7, the malware payload first gets the command-line string and checks if the argument is less or equal to 1. It then creates threads depending on the logical drive present in the victim machine.
If the argument is greater than 1, the malware checks whether the passed argument is a directory.
If a directory is found, the payload encrypts the directory and its content. Furthermore, if the argument is for any specific file, the malware will start encrypting that file as well.

The malware payload iterates through all possible A-Z drives on the Windows machine and verifies if the drives are logical, after which it creates a thread. Refer to Figure 8.

The malware excludes the list of folders shown in Table 1 from the encryption routine as shown in Figure 9.
Folders |
All Users |
Program Files |
Program Files x86 |
Windows |
Recycle bin |

The malware excludes the list of types of files shown in Table 2 from the encryption routine, as shown in Figure 10.
File Type | Description |
.EXE | Executable |
.DLL | Dynamic Link Library |
.INI | Initialization |
.URL | Uniform Resource Locator |
.LNK | Link |
Table 2 Excluded Files List

The malware initially searches for folders, for example, config.Msi in C drive. If it can successfully locate these folders, it performs further actions, as shown in Figure 11.

After finding the required folders, the malware creates the ransom note, as shown in Figure 12.

As seen in Figure 13, the malware generates a seed after creating the ransom note.

The malware reads the content and writes encrypted data, as shown in Figure 14.

Figure 15 shows the encryption routine performed by the malware.

After encrypting the files, the malware replaces the original content with encrypted content with appended extension as .KARMA, as shown in Figure 16.

The TOR website hxxp://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd[.]onion/ shown in Figure 17 was present in the ransom note, in the contact section of the website, TAs have mentioned two email IDs jeffreyclinton1977@onionmail.org and jackiesmith176@protonmail.com, which the victims can use to communicate with them to recover the data

Conclusion
Ransomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of the techniques used by TAs, besides implementing the requisite security best practices and security controls.
Ransomware victims are at risk of losing valuable data as a result of such attacks, resulting in financial loss and lost productivity. In the event that the victim is unable or unwilling to pay the ransom, the TA may leak or sell this data online. This will not only compromise sensitive user data in the case of banks, online shopping portals etc, but it will also lead to a loss of reputation for the affected firm.
Cyble Research Lab is continuously monitoring KARMA’s extortion campaign and will keep our readers up to date with new information.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow these suggestions given below:
- Conduct regular backup practices and keep those backups offline or on a separate network.
- Regularly perform the vulnerability assessment of the organizational assets majorly which are exposed on internet.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Avoid using software cracks or keygens from torrent or third-party servers.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Initial access | T1190 | Exploit Public-Facing Application |
Defense Evasion | T1112 T1027 T1562.001 | Modify Registry Obfuscated Files or Information Impair Defences: Disable or Modify Tools |
Discovery | T1083 T1135 | File and Directory Discovery Network Share Discovery |
Impact | T1486 T1490 | Data Encrypted for Impact Inhibit System Recovery |
Indicators of Compromise (IoCs):
Indicators | Indicator type | Description |
a63937d94b4d0576c083398497f35abc2ed116138bd22fad4aec5714f83371b0 | SHA256 | HASH |
hxxp://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd[.]onion/ | URL | URL |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.
Comments are closed.