Cyble - A Deep-dive Analysis Of KARMA Ransomware
Published: 2021-08-24 · Archived: 2026-04-05 12:38:54 UTC
Cyble Research Labs'deep-dive analysis on the KARMA ransomware.
While performing our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across a
ransomware group known as KARMA, which encrypts files on the victim’s machine and appends the extension of
encrypted files to .KARMA. Subsequently, the Threat Actors (TAs) demand that the victims pay ransom for the private
key to recover their data. 
Based on analysis by Cyble Research Labs, we have observed that the executable payload is a console-based
application. 
Figure 1 shows the execution flow of the Karma ransomware. After execution, the malware takes
inputs from the user and checks all A-Z drives, excludes folders and files from encryption. After this, the
ransomware proceeds to drop the ransom note and replaces the original content with encrypted
content. It then appends the extension as .KARMA. 
World's Best AI-Native Threat Intelligence
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
Page 1 of 11

Figure 1 Execution Flow of Karma Ransomware 
Technical Analysis 
Our static analysis found that the malware is a console-based x86 architecture executable written in C/C++, as shown
in Figure 2.
Figure 2 Malware Payload Static Information 
After encrypting the files, the ransomware payload drops the ransom note named KARMA-ENCRYPTED.txt in various
places in the victim’s machine, as shown in Figure 3. 
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
Page 2 of 11

Figure 3 Ransom Note 
In the above ransom note, the TAs have given email support
IDs ”   JamesHoopkins1988@onionmail[.]org“, Leslydown1988@tutanota[.]com“, “ 
ollivergreen1977@protonmail[.]com“. The victims are asked to reach out to the attackers and pay the ransom amount
in Bitcoin (BTC) to get the private decryption key. 
After execution, the malware encrypts the files and appends the extension of encrypted files as .KARMA and drops
ransom note as shown in Figure 4. 
Figure 4 Encrypted Files 
Upon execution, a Mutex with the name KARMA is created to ensure that only one instance of this ransomware is
running at a time, as shown in Figure 5. 
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
Page 3 of 11

Figure 5 Malware Creates Mutex 
The malware payload uses the crypt32.dll library, a module used to implement certificate and cryptographic messaging
functions in the CryptoAPI, as shown below. 
Figure 6 Malware Loads Library crypt32.dll 
As shown in Figure 7, the malware payload first gets the command-line string and checks if the argument is less or
equal to 1. It then creates threads depending on the logical drive present in the victim machine.  
If the argument is greater than 1, the malware checks whether the passed argument is a directory.  
If a directory is found, the payload encrypts the directory and its content. Furthermore, if the argument is for any
specific file, the malware will start encrypting that file as well. 
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
Page 4 of 11

Figure 7 Malware Encryption Process
The malware payload iterates through all possible A-Z drives on the Windows machine and verifies if the drives are
logical, after which it creates a thread. Refer to Figure 8. 
Figure 8 Malware Verifies the Windows Drives and Creates Thread 
The malware excludes the list of folders shown in Table 1 from the encryption routine as shown in Figure 9. 
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
Page 5 of 11

Folders 
All Users 
Program Files 
Program Files x86 
Windows 
Recycle bin 
Figure 9 Malware Exclude Folders from Encryption 
The malware excludes the list of types of files shown in Table 2 from the encryption routine, as shown in Figure 10. 
File Type  Description 
.EXE  Executable 
.DLL  Dynamic Link Library 
.INI  Initialization 
.URL  Uniform Resource Locator 
.LNK  Link 
Table 2 Excluded Files List 
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
Page 6 of 11

Figure 10 Malware Excludes Files from Encryption 
The malware initially searches for folders, for example, config.Msi in C drive. If it can successfully locate these
folders, it performs further actions, as shown in Figure 11. 
Figure 11 Malware Searches for the Folder 
After finding the required folders, the malware creates the ransom note, as shown in Figure 12. 
Figure 12 Malware Writes Ransom Note
As seen in Figure 13, the malware generates a seed after creating the ransom note. 
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
Page 7 of 11

Figure 13 Malware Generates Seed 
The malware reads the content and writes encrypted data, as shown in Figure 14. 
Figure 14 Malware Reads the Content and Writes Encrypted Content 
Figure 15 shows the encryption routine performed by the malware. 
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
Page 8 of 11

Figure 15 Encryption Routine 
After encrypting the files, the malware replaces the original content with encrypted content with appended
extension as .KARMA, as shown in Figure 16. 
Figure 16 Malware Replaces Original Content with Encrypted Content
The TOR website hxxp://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd[.]onion/ shown in Figure
17 was present in the ransom note, in the contact section of the website, TAs have mentioned two email
IDs jeffreyclinton1977@onionmail.org and jackiesmith176@protonmail.com, which the victims can use to
communicate with them to recover the data 
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
Page 9 of 11

Figure 17 Ransomware Tor Website
Conclusion 
Ransomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of the
techniques used by TAs, besides implementing the requisite security best practices and security controls.  
Ransomware victims are at risk of losing valuable data as a result of such attacks, resulting in financial loss and lost
productivity. In the event that the victim is unable or unwilling to pay the ransom, the TA may leak or sell this data
online. This will not only compromise sensitive user data in the case of banks, online shopping portals etc, but it will
also lead to a loss of reputation for the affected firm. 
Cyble Research Lab is continuously monitoring KARMA’s extortion campaign and will keep our readers up to date
with new information. 
Our Recommendations 
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We
recommend that our readers follow these suggestions given below:  
Conduct regular backup practices and keep those backups offline or on a separate network. 
Regularly perform the vulnerability assessment of the organizational assets majorly which are exposed on
internet.    
Refrain from opening untrusted links and email attachments without verifying their authenticity.  
Avoid using software cracks or keygens from torrent or third-party servers. 
Use strong passwords and enforce multi-factor authentication wherever possible.   
Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever
possible and pragmatic.    
Use a reputed anti-virus and Internet security software package on your connected devices, including PC,
laptop, and mobile.       
MITRE ATT&CK® Techniques 
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
Page 10 of 11

Tactic  Technique ID  Technique Name 
Initial access     T1190     Exploit Public-Facing Application 
Defense Evasion    
T1112
T1027
T1562.001    
Modify Registry    
Obfuscated Files or Information  
Impair Defences: Disable or Modify Tools  
Discovery    
T1083
T1135   
File and Directory Discovery   
Network Share Discovery   
Impact    
T1486
T1490    
Data Encrypted for Impact    
Inhibit System Recovery    
Indicators of Compromise (IoCs):   
Indicators 
Indicator
type 
Description 
a63937d94b4d0576c083398497f35abc2ed116138bd22fad4aec5714f83371b0  SHA256  HASH 
hxxp://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd[.]onion/  URL  URL 
About Us 
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and
exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk
footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one
of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in
Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com. 
Source: https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
Page 11 of 11