Skip Navigation
BlackBerry Blog

BlackBerry Prevents: Karma Ransomware

Karma is fast-acting ransomware designed to quickly encrypt data on compromised machines. In the wild since mid-2021, Karma initially used the stream cipher known as ChaCha20. Recent samples have swapped this out for Salsa20, suggesting the malware is still under development.

The Karma ransom group has created a leak site named “Karma Leaks,” which is hosted via an Onion page. This site has blog-like posts that allude to infiltration of an organization’s network before deploying their ransomware, a technique which allows them to get a better sense of the value of their victim’s data before setting a ransom amount. The group also uses this site as a double-extortion ploy. Affected organizations that refuse to pay the ransom demands or that do not pay within a specific time, have their private data published.

In October 2021, Karma ransomware went through an iterative change, showing rapid advancement including smaller sample-size and shifts in their encryption routine. Files encrypted by the newest version of the ransomware have the file-extension [.KARMA_V2] appended, rather than the initial [.KARMA] file-extension used in a previous version.

To see how BlackBerry prevents Karma attacks from occurring, check out the following video.

DEMO VIDEO: BlackBerry vs. Karma Ransomware 

Learn more about Karma in our deep dive blog, Threat Thursday: Karma Ransomware.

BlackBerry Cyber Suite and BlackBerry Guard stop these attacks.  

BlackBerry customers can feel confident that our Cylance® AI-driven BlackBerry® Cyber Suite, as well as our managed detection and response (MDR) solution, BlackBerry® Guard, and our Zero Trust network access solution, BlackBerry® Gateway, are all well-equipped to mitigate the risks posed by threats such as Karma ransomware:  

  • BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement.  
  • BlackBerry® Optics extends the threat prevention by using artificial intelligence to prevent security incidents. It provides true AI incident prevention, root cause analysis, smart threat hunting, and automated detection and response capabilities.   
  • BlackBerry® Gateway provides Zero Trust network access to reduce risk by protecting traffic through the perimeter and performing encrypted packet analysis. BlackBerry Gateway creates a network that is identity-aware per user, with continuous authorization to thwart zero-day attacks. 
  • The BlackBerry® Mobile Threat Defense (MTD) solution prevents and detects advanced malicious threats at the device and application levels. It combines the mobile endpoint management capabilities of BlackBerry® Unified Endpoint Manager (UEM) with advanced AI-driven threat protection, to get in front of malicious cyberattacks in a Zero Trust environment.  
  • BlackBerry® Persona creates trust based on behavioral analytics, app usage, and network and process invocation patterns. It uses adaptive risk scoring to provide continuous authentication.  
  • BlackBerry Guard customers are proactively protected from Karma ransomware attacks. Our 24/7 MDR solution customers receive:   
    • Alerts monitored in real-time   
    • Corrective policies applied while discovering gaps in policy implementation   
    • Prioritized threat hunting   
    • The latest threat intelligence for fast-moving threats   

Prevention First  

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain.  

By stopping malware at this stage, BlackBerry® solutions help organizations increase their resilience. It also helps to reduce infrastructure complexity and streamline security management, ensuring your business, people and endpoints are secure.  

BlackBerry Assistance  

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure.  

For emergency assistance, please email us at, or use our handraiser form.   

Video Transcription

“In this video, we are analyzing Karma, a fast-acting ransomware designed to quickly encrypt data on compromised machines, relying on speed over complexity.

It is characterized by its small size - most of the samples BlackBerry analyzed are 130kb or less - as well as for its speed in the encryption process.

For this demo, we have a recent sample considered to be Version 2 of this ransomware family. We have configured this machine in audit-only mode so we can execute this file.

Upon execution, Karma immediately encrypts the local hard drive and tries to identify any other accessible units. It presents the typical ransom note – BlackBerry researchers believe that the infection vector is connected to a previous compromise by a threat group that deploys these files once they have obtained a foothold on the target infrastructure and have conducted the exfiltration.

Let’s assess the BlackBerry Temporal Predictive Advantage against this new Karma ransomware strain. In this case, we have an additional sample that has been circulating in the wild. We will execute it on a computer with a Cylance AI model from 2015, no Internet connectivity, and no recent updates.

As you can see in this video, BlackBerry prevents this new ransomware from executing in milliseconds. But just to make sure, let’s hit it with a dozen more Karma v1 samples. Again, you’ll see that all attacks were prevented, pre-execution.

Prevention is possible, with BlackBerry.”

The BlackBerry Research & Intelligence Team

About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.