Threat Thursday: Karma Ransomware

Summary

Karma is fast-acting ransomware designed to quickly encrypt data on compromised machines. In the wild since mid-2021, Karma initially used the stream cipher known as ChaCha20. Recent samples have swapped this out for Salsa20, suggesting the malware is still under development.

The Karma ransom group has created a leak site named “Karma Leaks,” which is hosted via an Onion page. This site has blog-like posts that allude to infiltration of an organization’s network before deploying their ransomware, a technique which allows them to get a better sense of the value of their victim’s data before setting a ransom amount. The group also uses this site as a double-extortion ploy. Affected organizations that refuse to pay the ransom demands or that do not pay within a specific time, have their data published.

In October 2021, Karma ransomware went through an iterative change, showing rapid advancement including smaller sample-size and shifts in their encryption routine. Files encrypted by the newest version of the ransomware have the file-extension [.KARMA_V2] appended, rather than the initial [.KARMA] file-extension used in a previous version.

Operating System

Risk & Impact

Technical Analysis

Infection Vector

The infection vector used by the Karma ransomware gang is unknown, but based on initial findings of reconnaissance performed on the victims by the threat group, it appears to vary. Once the group has established a foothold, they likely attempt to move laterally and exfiltrate any data of value. Once reconnaissance and information-stealing has concluded, they execute the Karma ransomware to encrypt victim systems that they have compromised.

File Analysis

The ransomware file itself is small, with samples ranging between 15 KB and 130 KB. Despite their small size, none of the samples found in the wild were packed by digital software packers. The observed samples were all Windows® 32-bit Portable Executables (PE) with a compilation timestamp of 2021. All samples found in the wild were compiled in Microsoft® Visual C++.

Though most samples of Karma are unsigned, lacking digital certificates, at least one known sample was signed with a currently un-revoked digital signature.

Figure 1: Static information of Karma_V2 sample

As noted, Karma appears to be still under development. BlackBerry has observed a clear lateral progression between initial samples of Karma, leading up to KARMA_V2. Over a short period of time, the samples of Karma that have been analyzed became progressively smaller, shifted their encryption routine, and increased in complexity.

The initial samples of Karma contained a console pop-up box during encryption, meaning an attentive user could attempt to terminate the process before all their data was encrypted. However, given the speed of the malware’s encryption routine, it would have been difficult to act quickly enough to keep all data intact.

Figure 2: Initial console dialog box of Karma

More recently, samples contain the static string: Karma_V2. These samples share a lot of resemblance to the proceeding version, but the initial console box that was once displayed on the victim device is no longer visible. Its speed and method of encryption appear the same.

Karma Mutex

Karma_V2, like the original, initially creates a mutex called “KARMA.” This functions as a buffer to prevent another instance of the ransomware from being executed if one is already running. This is likely done to prevent re-infection, as well as double-encryption that might occur if the ransomware inadvertently executes twice.

If ransomware were to be executed twice on a system, doubly-encrypted data is likely to become un-recoverable and corrupt. This would defeat the purpose of such malware demanding a payment for decrypting and recovering the user’s data.

Figure 3: Formation of the "KARMA" mutex

Karma calls on the use of crypt32.dll. This Dynamic-Link Library (.DLL) is a native module used to implement cryptographic messaging and certification functions with the Windows CryptoAPI. The DLL is used during encryption.

Figure 4: crypt32.dll being loaded

After loading the DLL, the malware will then iterate through all available drives connected to the victim’s device. If a logical drive is identified and verified, the malware will attempt to encrypt its contents.

Encryption

Not all samples of Karma have the same goals. Though they all operate the same, they can target different files and folders.

Karma samples vary in which file-extensions and folders they exclude from encrypting. This information is statically hard-coded into the malware, located in the .rdata section of each sample.

Figure 6: These exclusions are then used by the malware when executing

These exclusions are likely included to avoid inadvertently encrypting core and critical Windows components.

Figure 7: File extension exclusion list

KARMA (ChaCha20)

KARMA (Salsa20)

KARMA_V2

Once files are passed through the malware encryption routine, and the file-extension has been appended, the malware will add the 8 bytes of data shown below to signify successful encryption.

Figure 8: File encrypted by Karma_V2

Background Change

In all samples of Karma ransomware analyzed to date, once encryption is completed, the malware creates a file called “background.jpg.” This file is generated and stored in the %Temp% directory.

Figure 9: Creating 'background.jpg'

Once the malware has carried out its encryption, it will change the victim’s desktop image as shown below.

Figure 10: System affected by Karma

Ransom Note

Figure 11: Example of Karma ransom note

There are few deviations in the Karma ransom note. However, the formatting is generally the same across all versions.

Typically, the contents of these notes are Base-64 encoded and contained within the file’s static strings. The contents are decoded into memory before being placed into the text file KARMA-ENCRYPTED.txt or KARMA-AGREE.txt. These ransom notes are created and dropped in all folders where the malware has encrypted files.

The note contains an Onion link to the threat actor’s leak site. It also contains unique email addresses related to that specific sample of Karma.

These addresses often follow a pattern of containing at least one of each of the following email services:

• OnionMail
• Tutanota
• ProtonMail

Leak Site

While other prevalent ransomware threats have been observed selling their malicious code to other threat actors as Ransomware-as-a-Service offerings, Karma appears to be used solely by its own creators.

Since Karma began posting to its Onion webpage in May 2021, the ransomware threat actors have been busy populating their basic WordPress site with the names and data of victims who have refused to pay their ransom.

Figure 12: Current content of “Karma Leaks” website (redacted)

As of November 2021, the site hosts the data of four victims who have not engaged or contacted the group and therefore have had their data publicly leaked. Each post shown in Figure 12 contains multiple links to download confidential information stolen by the threat actors. The site suggests that these “double-extortion” posts would be removed if a fee is paid, which means that the true number of victims who have fallen to Karma may extend beyond this initial tally.

It appears that the Karma ransomware gang tends to target large multinational organizations; in particular, those with more than 1,000 employees and around $1 billion in revenue.

Figure 13: Karma leak site’s “About” page text

Karma’s website has a few blog-like posts about potential victims they intend to leak data from soon, and further ways to contact the gang. The “About" page shares a few additional pieces of information, as seen in Figure 13.

Neither the ransom note nor the website publicly discloses a specific ransom amount. Typically, ransomware would immediately demand a victim-specific fee or a flat-rate fee for the decryption of files.

As the Karma ransomware gang likely infiltrates organizations directly, as opposed to an RaaS model, fees could vary based on not just on the damage caused by the ransomware, but on the victim’s ability to pay and criticality of the affected data.

Conclusion

Karma ransomware is a quickly evolving and ruthless operation. Though Karma shares a lot of similarities with other known ransomware families, its rapid development and advancement in techniques makes both the malware and the threat actor behind it extremely dangerous. The use of “Karma Leaks” as a double-extortion ploy shows the threat group’s willingness to expose victims who do not pay.

With both the activity on “Karma Leaks” and the development of KARMA_V2, it appears this threat actor is spinning up its operations, and that it is actively looking for large organizations to target next.

YARA Rule

The following YARA rule was authored by the BlackBerry Research & Intelligence Team to catch the threat described in this document:

Indicators of Compromise (IoCs)

BlackBerry Assistance

If you’re battling this malware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here:  https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment

Want to learn more about cyber threat hunting? Check out the BlackBerry Research & Intelligence Team’s new book, Finding Beacons in the Dark: A Guide to Cyber Threat Intelligence, now available for pre-order here.