{ "id": "a48c8a76-6d68-4cc8-824b-5173d66aeef2", "created_at": "2026-04-06T00:07:33.94508Z", "updated_at": "2026-04-10T03:31:40.550461Z", "deleted_at": null, "sha1_hash": "157826e49831420347ec79496bb4a889e6154d7c", "title": "Cyble - ​A Deep-dive Analysis Of KARMA Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1899511, "plain_text": "Cyble - A Deep-dive Analysis Of KARMA Ransomware\r\nPublished: 2021-08-24 · Archived: 2026-04-05 12:38:54 UTC\r\nCyble Research Labs'deep-dive analysis on the KARMA ransomware.\r\nWhile performing our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across a\r\nransomware group known as KARMA, which encrypts files on the victim’s machine and appends the extension of\r\nencrypted files to .KARMA. Subsequently, the Threat Actors (TAs) demand that the victims pay ransom for the private\r\nkey to recover their data. \r\nBased on analysis by Cyble Research Labs, we have observed that the executable payload is a console-based\r\napplication. \r\nFigure 1 shows the execution flow of the Karma ransomware. After execution, the malware takes\r\ninputs from the user and checks all A-Z drives, excludes folders and files from encryption. After this, the\r\nransomware proceeds to drop the ransom note and replaces the original content with encrypted\r\ncontent. It then appends the extension as .KARMA. \r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nPage 1 of 11\n\nFigure 1 Execution Flow of Karma Ransomware \r\nTechnical Analysis \r\nOur static analysis found that the malware is a console-based x86 architecture executable written in C/C++, as shown\r\nin Figure 2.\r\nFigure 2 Malware Payload Static Information \r\nAfter encrypting the files, the ransomware payload drops the ransom note named KARMA-ENCRYPTED.txt in various\r\nplaces in the victim’s machine, as shown in Figure 3. \r\nhttps://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nPage 2 of 11\n\nFigure 3 Ransom Note \r\nIn the above ransom note, the TAs have given email support\r\nIDs ”   JamesHoopkins1988@onionmail[.]org“, Leslydown1988@tutanota[.]com“, “ \r\nollivergreen1977@protonmail[.]com“. The victims are asked to reach out to the attackers and pay the ransom amount\r\nin Bitcoin (BTC) to get the private decryption key. \r\nAfter execution, the malware encrypts the files and appends the extension of encrypted files as .KARMA and drops\r\nransom note as shown in Figure 4. \r\nFigure 4 Encrypted Files \r\nUpon execution, a Mutex with the name KARMA is created to ensure that only one instance of this ransomware is\r\nrunning at a time, as shown in Figure 5. \r\nhttps://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nPage 3 of 11\n\nFigure 5 Malware Creates Mutex \r\nThe malware payload uses the crypt32.dll library, a module used to implement certificate and cryptographic messaging\r\nfunctions in the CryptoAPI, as shown below. \r\nFigure 6 Malware Loads Library crypt32.dll \r\nAs shown in Figure 7, the malware payload first gets the command-line string and checks if the argument is less or\r\nequal to 1. It then creates threads depending on the logical drive present in the victim machine.  \r\nIf the argument is greater than 1, the malware checks whether the passed argument is a directory.  \r\nIf a directory is found, the payload encrypts the directory and its content. Furthermore, if the argument is for any\r\nspecific file, the malware will start encrypting that file as well. \r\nhttps://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nPage 4 of 11\n\nFigure 7 Malware Encryption Process\r\nThe malware payload iterates through all possible A-Z drives on the Windows machine and verifies if the drives are\r\nlogical, after which it creates a thread. Refer to Figure 8. \r\nFigure 8 Malware Verifies the Windows Drives and Creates Thread \r\nThe malware excludes the list of folders shown in Table 1 from the encryption routine as shown in Figure 9. \r\nhttps://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nPage 5 of 11\n\nFolders \r\nAll Users \r\nProgram Files \r\nProgram Files x86 \r\nWindows \r\nRecycle bin \r\nFigure 9 Malware Exclude Folders from Encryption \r\nThe malware excludes the list of types of files shown in Table 2 from the encryption routine, as shown in Figure 10. \r\nFile Type  Description \r\n.EXE  Executable \r\n.DLL  Dynamic Link Library \r\n.INI  Initialization \r\n.URL  Uniform Resource Locator \r\n.LNK  Link \r\nTable 2 Excluded Files List \r\nhttps://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nPage 6 of 11\n\nFigure 10 Malware Excludes Files from Encryption \r\nThe malware initially searches for folders, for example, config.Msi in C drive. If it can successfully locate these\r\nfolders, it performs further actions, as shown in Figure 11. \r\nFigure 11 Malware Searches for the Folder \r\nAfter finding the required folders, the malware creates the ransom note, as shown in Figure 12. \r\nFigure 12 Malware Writes Ransom Note\r\nAs seen in Figure 13, the malware generates a seed after creating the ransom note. \r\nhttps://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nPage 7 of 11\n\nFigure 13 Malware Generates Seed \r\nThe malware reads the content and writes encrypted data, as shown in Figure 14. \r\nFigure 14 Malware Reads the Content and Writes Encrypted Content \r\nFigure 15 shows the encryption routine performed by the malware. \r\nhttps://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nPage 8 of 11\n\nFigure 15 Encryption Routine \r\nAfter encrypting the files, the malware replaces the original content with encrypted content with appended\r\nextension as .KARMA, as shown in Figure 16. \r\nFigure 16 Malware Replaces Original Content with Encrypted Content\r\nThe TOR website hxxp://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd[.]onion/ shown in Figure\r\n17 was present in the ransom note, in the contact section of the website, TAs have mentioned two email\r\nIDs jeffreyclinton1977@onionmail.org and jackiesmith176@protonmail.com, which the victims can use to\r\ncommunicate with them to recover the data \r\nhttps://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nPage 9 of 11\n\nFigure 17 Ransomware Tor Website\r\nConclusion \r\nRansomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of the\r\ntechniques used by TAs, besides implementing the requisite security best practices and security controls.  \r\nRansomware victims are at risk of losing valuable data as a result of such attacks, resulting in financial loss and lost\r\nproductivity. In the event that the victim is unable or unwilling to pay the ransom, the TA may leak or sell this data\r\nonline. This will not only compromise sensitive user data in the case of banks, online shopping portals etc, but it will\r\nalso lead to a loss of reputation for the affected firm. \r\nCyble Research Lab is continuously monitoring KARMA’s extortion campaign and will keep our readers up to date\r\nwith new information. \r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow these suggestions given below:  \r\nConduct regular backup practices and keep those backups offline or on a separate network. \r\nRegularly perform the vulnerability assessment of the organizational assets majorly which are exposed on\r\ninternet.    \r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.  \r\nAvoid using software cracks or keygens from torrent or third-party servers. \r\nUse strong passwords and enforce multi-factor authentication wherever possible.   \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices wherever\r\npossible and pragmatic.    \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.       \r\nMITRE ATT\u0026CK® Techniques \r\nhttps://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nPage 10 of 11\n\nTactic  Technique ID  Technique Name \r\nInitial access     T1190     Exploit Public-Facing Application \r\nDefense Evasion    \r\nT1112\r\nT1027\r\nT1562.001    \r\nModify Registry    \r\nObfuscated Files or Information  \r\nImpair Defences: Disable or Modify Tools  \r\nDiscovery    \r\nT1083\r\nT1135   \r\nFile and Directory Discovery   \r\nNetwork Share Discovery   \r\nImpact    \r\nT1486\r\nT1490    \r\nData Encrypted for Impact    \r\nInhibit System Recovery    \r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\na63937d94b4d0576c083398497f35abc2ed116138bd22fad4aec5714f83371b0  SHA256  HASH \r\nhxxp://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd[.]onion/  URL  URL \r\nAbout Us \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk\r\nfootprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one\r\nof the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in\r\nAustralia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com. \r\nSource: https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nhttps://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/" ], "report_names": [ "a-deep-dive-analysis-of-karma-ransomware" ], "threat_actors": [ { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434053, "ts_updated_at": 1775791900, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/157826e49831420347ec79496bb4a889e6154d7c.pdf", "text": "https://archive.orkl.eu/157826e49831420347ec79496bb4a889e6154d7c.txt", "img": "https://archive.orkl.eu/157826e49831420347ec79496bb4a889e6154d7c.jpg" } }