# A Deep-dive Analysis of KARMA Ransomware **[blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/](https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/)** August 24, 2021 While performing our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across a ransomware group known as KARMA, which encrypts files on the victim’s machine and appends the extension of encrypted files to .KARMA. Subsequently, the Threat Actors (TAs) demand that the victims pay ransom for the private key to recover their data. Based on analysis by Cyble Research Labs, we have observed that the executable payload is a consolebased application. Figure 1 shows the execution flow of the Karma ransomware. After execution, the malware takes inputs from the user and checks all A-Z drives, excludes folders and files from encryption. After this, the ransomware proceeds to drop the ransom note and replaces the original content with encrypted content. It then appends the extension as .KARMA. _Figure 1 Execution Flow of Karma Ransomware_ ----- ## Technical Analysis Our static analysis found that the malware is a console-based x86 architecture executable written in C/C++, as shown in Figure 2. _Figure 2 Malware Payload Static Information_ After encrypting the files, the ransomware payload drops the ransom note named KARMA_ENCRYPTED.txt in various places in the victim’s machine, as shown in Figure 3._ _Figure 3 Ransom Note_ In the above ransom note, the TAs have given email support IDs ” _[JamesHoopkins1988@onionmail[.]org“,](http://10.10.0.46/mailto:JamesHoopkins1988@onionmail%5B.%5Dorg)_ _[Leslydown1988@tutanota[.]com“, “](http://10.10.0.46/mailto:Leslydown1988@tutanota%5B.%5Dcom)_ ----- _[ollivergreen1977@protonmail[.]com . The victims are asked to reach out to the attackers and pay the](http://10.10.0.46/mailto:ollivergreen1977@protonmail%5B.%5Dcom)_ ransom amount in Bitcoin (BTC) to get the private decryption key. After execution, the malware encrypts the files and appends the extension of encrypted files as .KARMA and drops ransom note as shown in Figure 4. _Figure 4 Encrypted_ _Files_ Upon execution, a Mutex with the name KARMA is createdto ensure that only one instance of this ransomware is running at a time, as shown in Figure 5. _Figure 5 Malware Creates Mutex_ The malware payload uses the crypt32.dll library, a module used to implement certificate and cryptographic messaging functions in the CryptoAPI, as shown below. _Figure 6 Malware Loads Library crypt32.dll_ As shown in Figure 7, the malware payload first gets the command-line string and checks if the argument is less or equal to 1. It then creates threads depending on the logical drive present in the victim machine. If the argument is greater than 1, the malware checks whether the passed argument is a directory. If a directory is found, the payload encrypts the directory and its content. Furthermore, if the argument is for any specific file, the malware will start encrypting that file as well. ----- _Figure 7 Malware Encryption Process_ The malware payload iterates through all possible A-Z drives on the Windows machine and verifies if the drives are logical, after which it creates a thread. Refer to Figure 8. _Figure 8 Malware Verifies the Windows Drives and Creates Thread_ ----- The malware excludes the list of folders shown in Table 1 from the encryption routine as shown in Figure 9. Folders All Users Program Files Program Files x86 Windows Recycle bin _Figure 9 Malware Exclude Folders from Encryption_ The malware excludes the list of types of files shown in Table 2 from the encryption routine, as shown in Figure 10. File Type Description .EXE Executable .DLL Dynamic Link Library .INI Initialization .URL Uniform Resource Locator .LNK Link _Table 2 Excluded Files List_ ----- _Figure 10 Malware Excludes Files from Encryption_ The malware initially searches for folders, for example, config.Msi in C drive. If it can successfully locate these folders, it performs further actions, as shown in Figure 11. _Figure 11 Malware Searches for the Folder_ After finding the required folders, the malware creates the ransom note, as shown in Figure 12. ----- _Figure 12 Malware Writes Ransom Note_ As seen in Figure 13, the malware generates a seed after creating the ransom note. _Figure 13 Malware Generates Seed_ The malware reads the content and writes encrypted data, as shown in Figure 14. _Figure 14 Malware Reads the Content and Writes Encrypted Content_ Figure 15 shows the encryption routine performed by the malware. ----- _Figure 15 Encryption Routine_ After encrypting the files, the malware replaces the original content with encrypted content with appended extension as .KARMA, as shown in Figure 16. _Figure 16 Malware Replaces Original Content with Encrypted Content_ The TOR website hxxp://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd[.]onion/shown in Figure 17 was present in the ransom note, in the contact section of the website, TAs have mentioned two email IDs jeffreyclinton1977@onionmail.org and jackiesmith176@protonmail.com, which the victims can use to communicate with them to recover the data ----- _Figure 17 Ransomware Tor Website_ ## Conclusion Ransomware groups continue to pose a severe threat to firms and individuals. Organizations need to stay ahead of the techniques used by TAs, besides implementing the requisite security best practices and security controls. Ransomware victims are at risk of losing valuable data as a result of such attacks, resulting in financial loss and lost productivity. In the event that the victim is unable or unwilling to pay the ransom, the TA may leak or sell this data online. This will not only compromise sensitive user data in the case of banks, online shopping portals etc, but it will also lead to a loss of reputation for the affected firm. Cyble Research Lab is continuously monitoring KARMA’s extortion campaign and will keep our readers up to date with new information. ## Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow these suggestions given below: Conduct regular backup practices and keep those backups offline or on a separate network. Regularly perform the vulnerability assessment of the organizational assets majorly which are exposed on internet. Refrain from opening untrusted links and email attachments without verifying their authenticity. Avoid using software cracks or keygens from torrent or third-party servers. Use strong passwords and enforce multi-factor authentication wherever possible. Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. ----- ## MITRE ATT&CK® Techniques **Tactic** **Technique ID** **Technique Name** **Initialaccess** [T1190](https://attack.mitre.org/techniques/T1190/) Exploit Public-Facing Application **DefenseEvasion** [T1112](https://attack.mitre.org/techniques/T1112) [T1027](https://attack.mitre.org/techniques/T1027) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) **Discovery** [T1083](https://attack.mitre.org/techniques/T1083) [T1135](https://attack.mitre.org/techniques/T1135) **Impact** [T1486](https://attack.mitre.org/techniques/T1486/) [T1490](https://attack.mitre.org/techniques/T1490/) **Indicators of Compromise (IoCs):** Modify Registry Obfuscated Files or Information Impair Defences: Disable or Modify Tools File and Directory Discovery Network Share Discovery Data Encrypted for Impact Inhibit System Recovery **Indicators** **Indicator** **type** **Description** a63937d94b4d0576c083398497f35abc2ed116138bd22fad4aec5714f83371b0 SHA256 HASH hxxp://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd[.]onion/ URL URL ## About Us [Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from](https://cyble.com/) cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit [https://cyble.com.](https://cyble.com/) -----