Sentinel Labs experts have analyzed the new Karma ransomware and speculate it represents an evolution of the Nemty ransomware operation.
Karma ransomware is a new threat that was first spotted in June of 2021, it is important to distinguish it from a different threat with the same name that is active since 2016.
The researchers analyzed eight samples used in attacks that took place in June 2021 and analyzed them finding important code similarities with some ransomware variants of Gangbang and Milihpen that were active in the wild at least since January 2021. The analysis of the compilation dates of the samples suggests that the Karma ransomware is still under active development.
The similarities between Karma and the above variants included the exclusion of extensions and folders and the presence of debug messages.
“From our analysis, we see similarities between JSWorm and the associated permutations of that ransomware family such as NEMTY, Nefilim, and GangBang. Specifically, the Karma code analyzed bears close similarity to the GangBang or Milihpen variants that appeared around January 2021.” reads the analysis published by SentinelLabs.
The experts conducted a “bindiff” on Karma and Gangbang samples and noticed that the ‘main()’ function is quite similar.
The analysis of the encryption process implemented in the sample analyzed revealed that the earlier ones were using the Chacha20 encryption algorithm, while the most recent samples were using the Salsa20 algorithm.
“Diving in deeper, some samples show that the ChaCha20 algorithm has been swapped out for Salsa20. The asymmetric algorithm (for ECC) has been swapped from Secp256k1 to Sect233r1. Some updates around execution began to appear during this time as well, such as support for command line parameters.” continues the report.
Like other ransomware operations, the Karma gang has set up a leak site where publish the stolen data of those victims that don’t pay the ransom.
“Karma is a young and hungry ransomware operation. They are aggressive in their targeting, and show no reluctance in following through with their threats. The apparent similarities to the JSWorm family are also highly notable as it could be an indicator of the group being more than they appear.” “The rapid iteration over recent months suggests the actor is investing in development and aims to be around for the foreseeable future.” concludes the report that also includes Indicators of Compromise (IoCs) for the threat.
(SecurityAffairs – hacking, Karma ransomware)