Karma ransomware rapid evolution

LAST EDITED:
PUBLISHED:

Initially discovered at the end of June 2021, Karma ransomware is a relatively new malware. Researchers from SentinelOne found that the individual developer, known by the name ‘Eugene’, is rapidly updating Karma and continuously adapting it to cutting edge ransomware techniques. There is a strong possibility that affected companies have paid the requested ransoms, based on the lack of comment activity from Karma Site_admin on dark web forums.

What is it? 

Initially discovered at the end of June 2021, Karma ransomware is a relatively new malware. Researchers from SentinelOne found that the individual developer, known by the name ‘Eugene’, is rapidly updating Karma and continuously adapting it to cutting edge ransomware techniques. There is a strong possibility that affected companies have paid the requested ransoms, based on the lack of comment activity from Karma Site_admin on dark web forums.

Who is at risk? 

Karma ransomware has been observed targeting various organisations across several sectors with no specific industry targets. Researchers say at least eight different companies have been affected by Karma between 2021-06-18 and 2021-06-25. So far, there have been no corporate data leaks. From this, we assume that the victims have paid the ransom or are in the process of negotiating payments to prevent data leaks.

Each of the eight concurrent versions of the ransomware seems to be improving and rapidly evolving to stay up to date with the latest ransomware techniques. This pace of evolution suggests that the developer, ‘Eugene’, is highly skilled and chooses victims carefully to target the most vulnerable.

How does Karma work? 

Karma ransomware prevents access to an organisation’s data by encrypting files and systems. This is done through the following encryption process:

  1. Generate random Chacha20 key
  2. Encrypt file with Chacha20
  3. Encrypt Chacha20 key with hardcoded ECC public key
  4. Add encrypted key at the encrypted file
  5. Append “KARMA”

Once files and data have been encrypted by Karma, targeted organisations are given instructions on how to pay the ransom to prevent their information from being sold or released to the dark web.

How can I protect myself? 

Here is a list of actionable items you can take to protect your company from ransomware:

  • Building staff awareness regarding phishing attacks, including best practices on downloading and installing apps, choosing strong passwords and not exposing them to other personal websites;
  • Creating offline backups;
  • Separating network subsystems, and ensuring each of them has its own firewalls and gateways;
  • Monitoring for large file uploads;
  • Adopting email security best practices, filtering out malicious file types (EXE, VBS, XLS with Macros), and executing them in a local sandbox.
  • Organisations that have been impacted by any ransomware attack should immediately contact Blackpanda’s expert ransomware response and negotiation specialists.

​Additionally, all organisations should follow these:

1. Stronger passwords:

Many of the most significant ransomware attacks that have occurred were due to simple passwords obtained through brute force attacks or dark web data breach sales. Ensure all employees use long-tail passwords that include symbols, numbers, and upper/lower case letters that are not affiliated with personally identifiable information like names, addresses, birthdays etc.

2. Activate multi-factor authentication:

Ensure every access point within your systems requires MFA. This provides an added layer of security and decreases the chance that a brute force attack will be able to access your data.

3. ​Adhere to the principle of least privilege:

The Principle of Least Privilege is the idea that any user, program, or process should have only the bare minimum privileges necessary to perform its function. The principle of least privilege works by allowing only enough access to perform the required job. In an IT environment, adhering to the principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application.

​4. Sweep out old user accounts and passwords:

Audit a clean sweep of current users and delete older usernames and passwords that have access to your critical infrastructure.

5. Update all software and security patches:

Software and security partners are constantly updating their software to keep up with the daily evolution of hacking technology. It is important for your organization to apply updates and patches whenever available.

6. Back up your systems and data offline:

Employ strong, frequent backups to have important files and systems recoverable in the event of an attack.

7. Implement an Endpoint Detection and Response (EDR) solution:

An EDR system can help detect threats that are within your system so that you can respond to them in the quickest way possible. EDR solutions like SentinelOne can better protect your environment from ransomware attacks and other threats.

8. Have a risk transfer solution and cyber IR plan in place

Sophisticated ransomware will be able to get past anti-virus protections and firewalls offered by outdated cyber defence systems. Having a proper IR (incident response) plan in place, recurring compromise assessments, and comprehensive cyber insurance coverage can help your organisation best combat the constantly evolving threats in the cyber landscape.

The best cyber incident response and risk management solution for small and medium businesses: IR-1 

Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.

Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1  aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.

Get in touch with us to learn more about IR-1.

Sign Up to Our Newsletter

Our weekly Asia Cyber Summary is a snappy, non-technical overview of regional cyber security news that helps you stay informed. Test it today, you can always unsubscribe.