{
	"id": "2ce105a8-949d-4241-ac43-424c5ce2b069",
	"created_at": "2026-04-06T00:08:27.661254Z",
	"updated_at": "2026-04-10T03:31:40.432305Z",
	"deleted_at": null,
	"sha1_hash": "9a1e637bb30bdd9f08e7ca3f4d82d037d5ed3247",
	"title": "Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2697519,
	"plain_text": "Karma Ransomware | An Emerging Threat With A Hint of Nemty\r\nPedigree\r\nBy Antonis Terefos\r\nPublished: 2021-10-18 · Archived: 2026-04-05 14:08:47 UTC\r\nKarma is a relatively new ransomware threat actor, having first been observed in June of 2021. The group has\r\ntargeted numerous organizations across different industries. Reports of a group with the same name from 2016 are\r\nnot related to the actors currently using the name. An initial technical analysis of a single sample related to Karma\r\nwas published by researchers from Cyble in August.\r\nIn this post, we take a deeper dive, focusing on the evolution of Karma through multiple versions of the malware\r\nappearing through June 2021. In addition, we explore the links between Karma and other well known malware\r\nfamilies such as NEMTY and JSWorm and offer an expanded list of technical indicators for threat hunters and\r\ndefenders.\r\nInitial Sample Analysis\r\nKarma’s development has been fairly rapid and regular with updated variants and improvements, oftentimes\r\nbuilding multiple versions on the same day. The first few Karma samples our team observed were:\r\nSample 1: d9ede4f71e26f4ccd1cb96ae9e7a4f625f8b97c9\r\nSample 2: a9367f36c1d2d0eb179fd27814a7ab2deba70197\r\nSample 3: 9c733872f22c79b35c0e12fa93509d0326c3ec7f\r\nSample 1 was compiled on 18th, June 2021 and Samples 2 and 3 the following day on the 19th, a few minutes\r\napart. Basic configuration between these samples is similar, though there are some slight differences such as PDB\r\npaths.\r\nAfter Sample 1, we see more of the core features appear, including the writing of the ransom note. Upon\r\nexecution, these payloads would enumerate all local drives (A to Z) , and encrypt files where possible.\r\nFurther hunting revealed a number of other related samples all compiled within a few days of each other. The\r\nfollowing table illustrates compilation timestamps and payload size across versions of Karma compiled in a single\r\nweek. Note how the payload size decreases as the authors’ iterate.\r\nhttps://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/\r\nPage 1 of 8\n\nRansom Note is not Created in Sample 1.\r\nAlso, the list of excluded extensions is somewhat larger in Sample 1 than in both Samples 2 and 3, and the list of\r\nextensions is further reduced from Sample 5 onwards to only exclude “.exe”, “.ini”, “.dll”, “.url” and “.lnk”.\r\nhttps://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/\r\nPage 2 of 8\n\nThe list of excluded extensions is reduced as the malware authors iterate\r\nEncryption Details\r\nFrom Sample 2 onwards, the malware calls CreateIoCompletionPort, which is used for communication between\r\nthe main thread and a sub thread(s) handling the encryption process. This specific call is key in managing\r\nefficiency of the encryption process (parallelization in this case).\r\nIndividual files are encrypted by way of a random Chacha20 key. Once files are encrypted, the malware will\r\nencrypt the random Chacha20 key with the public ECC key and embed it in the encrypted file.\r\nhttps://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/\r\nPage 3 of 8\n\nChacha Encryption\r\nAcross Samples 2 to 5, the author removed the CreateIoCompletionPort call, instead opting to create a new\r\nthread to manage enumeration and encryption per drive. We also note the “KARMA” mutex created to prevent the\r\nmalware from running more than once. Ransom note names have also been updated to “KARMA-ENCRYPTED.txt”.\r\nDiving in deeper, some samples show that the ChaCha20 algorithm has been swapped out for Salsa20. The\r\nasymmetric algorithm (for ECC) has been swapped from Secp256k1 to Sect233r1. Some updates around\r\nexecution began to appear during this time as well, such as support for command line parameters.\r\nA few changes were noted in Samples 6 and 7. The main difference is the newly included background image. The\r\nfile “background.jpg” is written to %TEMP% and set as the Desktop image/wallpaper for the logged in user.\r\nDesktop image change and message\r\nMalware Similarity Analysis\r\nFrom our analysis, we see similarities between JSWorm and the associated permutations of that ransomware\r\nfamily such as NEMTY, Nefilim, and GangBang. Specifically, the Karma code analyzed bears close similarity to\r\nthe GangBang or Milihpen variants that appeared around January 2021.\r\nhttps://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/\r\nPage 4 of 8\n\nSome high-level similarities are visible in the configurations.\r\nWe can see deeper relationships when we conduct a bindiff on Karma and GangBang samples. The following\r\nimage shows how similar the main() functions are:\r\nThe main() function \u0026 argument processing in Gangbang (left) and Karma\r\nVictim Communication\r\nThe main body of the ransom note text hasn’t changed since the first sample and still contains mistakes. The\r\nransom notes are base64-encoded in the binary and dropped on the victim machine with the filename “KARMA-AGREE.txt” or, in later samples, “KARMA-ENCRYPTED.txt”.\r\nYour network has been breached by Karma ransomware group.\r\nWe have extracted valuable or sensitive data from your network and encrypted the data on your systems\r\nDecryption is only possible with a private key that only we posses.\r\nOur group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that w\r\nScamming is just bad for business in this line of work.\r\nhttps://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/\r\nPage 5 of 8\n\nContact us to negotiate the terms of reversing the damage we have done and deleting the data we have\r\nWe advise you not to use any data recovery tools without leaving copies of the initial encrypted file\r\nYou are risking irreversibly damaging the file by doing this.\r\nIf we are not contacted or if we do not reach an agreement we will leak your data to journalists and\r\nhttp:\r\nIf a ransom is payed we will provide the decryption key and proof that we deleted you data.\r\nWhen you contact us we will provide you proof that we can decrypt your files and that we have downloa\r\nHow to contact us:\r\n{email1@onionmail.org}\r\n{email2@tutanota.com}\r\n{email3@protonmail.com}\r\nEach sample observed offers three contact emails, one for each of the mail providers onionmail, tutanota, and\r\nprotonmail. In each sample, the contact emails are unique, suggesting they are specific communication channels\r\nper victim. The notes contain no other unique ID or victim identifier as sometimes seen in notes used by other\r\nransomware groups.\r\nIn common with other operators, however, the Karma ransom demand threatens to leak victim data if the victim\r\ndoes not pay. The address of a common leaks site where the data will be published is also given in the note. This\r\nwebsite page appears to have been authored in May 2021 using WordPress.\r\nThe Karma Ransomware Group’s Onion Page\r\nConclusion\r\nKarma is a young and hungry ransomware operation. They are aggressive in their targeting, and show no\r\nreluctance in following through with their threats. The apparent similarities to the JSWorm family are also highly\r\nnotable as it could be an indicator of the group being more than they appear. The rapid iteration over recent\r\nmonths suggests the actor is investing in development and aims to be around for the foreseeable future.\r\nSentinelLabs continues to follow and analyze the development of Karma ransomware.\r\nhttps://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/\r\nPage 6 of 8\n\nIndicators of Compromise\r\nSHA1s\r\nKarma Ransomware\r\nSample 1: d9ede4f71e26f4ccd1cb96ae9e7a4f625f8b97c9\r\nSample 2: a9367f36c1d2d0eb179fd27814a7ab2deba70197\r\nSample 3: 9c733872f22c79b35c0e12fa93509d0326c3ec7f\r\nSample 4: c4cd4da94a2a1130c0b9b1bf05552e06312fbd14\r\nSample 5: bb088c5bcd5001554d28442bbdb144b90b163cc5\r\nSample 6: 5ff1cd5b07e6c78ed7311b9c43ffaa589208c60b\r\nSample 7: 08f1ef785d59b4822811efbc06a94df16b72fea3\r\nSample 8: b396affd40f38c5be6ec2fc18550bbfc913fc7ea\r\nGangbang Sample \r\nac091ce1281a16f9d7766a7853108c612f058c09\r\nKarma Desktop image\r\n%TEMP%/background.jpg\r\n7b8c45769981344668ce09d48ace78fae50d71bc\r\nVictim Blog (TOR)\r\nhttp[:]//3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd[.]onion/\r\nRansom Note Email Addresses\r\nalabacoman@tutanota.com\r\nalberttconner2021@protonmail.com\r\nAndryCooper1988@tutanota.com\r\nCharlesSLewis1987@onionmail.org\r\nDavidSchmidt1977@protonmail.com\r\nDorothyFBrennan1992@tutanota.com\r\ndwaynehogan33@onionmail.org\r\nElizabethAntone1961@protonmail.com\r\nEndryuRidus@tutanota.com\r\nfionahammers1995@onionmail.org\r\nJamesHoopkins1988@onionmail.org\r\njasonchow30@onionmail.org\r\nJerseySmith1986@onionmail.org\r\nKirklord1967@tutanota.com\r\nleonardred1989@protonmail.com\r\nLeslydown1988@tutanota.com\r\nleticiaparkinson1983@onionmail.org\r\nMarkHuntigton1977@tutanota.com\r\nMikedillov1986@onionmail.org\r\nhttps://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/\r\nPage 7 of 8\n\nnoreywaterson1988@protonmail.com\r\nollivergreen1977@protonmail.com\r\nrichardbrunson1892@protonmail.com\r\nrickysmithson1975@protonmail.com\r\nVinceGilbert@tutanota.com\r\nMITRE ATT\u0026CK\r\nT1485 Data Destruction\r\nT1486 Data Encrypted for Impact\r\nT1012 Query Registry\r\nT1082 System Information Discovery\r\nT1120 Peripheral Device Discovery\r\nT1204 User Execution\r\nT1204.002 User Execution: Malicious File\r\nSource: https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/\r\nhttps://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/"
	],
	"report_names": [
		"karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree"
	],
	"threat_actors": [
		{
			"id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf",
			"created_at": "2024-01-18T02:02:34.189827Z",
			"updated_at": "2026-04-10T02:00:04.721082Z",
			"deleted_at": null,
			"main_name": "HomeLand Justice",
			"aliases": [
				"Banished Kitten",
				"Karma",
				"Red Sandstorm",
				"Storm-0842",
				"Void Manticore"
			],
			"source_name": "ETDA:HomeLand Justice",
			"tools": [
				"BABYWIPER",
				"BiBi Wiper",
				"BiBi-Linux Wiper",
				"BiBi-Windows Wiper",
				"Cl Wiper",
				"LowEraser",
				"No-Justice Wiper",
				"Plink",
				"PuTTY Link",
				"RevSocks",
				"W2K Res Kit"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434107,
	"ts_updated_at": 1775791900,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a1e637bb30bdd9f08e7ca3f4d82d037d5ed3247.pdf",
		"text": "https://archive.orkl.eu/9a1e637bb30bdd9f08e7ca3f4d82d037d5ed3247.txt",
		"img": "https://archive.orkl.eu/9a1e637bb30bdd9f08e7ca3f4d82d037d5ed3247.jpg"
	}
}