Cyber Security Advisory

Karma Ransomware Rapid Evolution

Researchers from SentinelOne have discovered a rapidly evolving ransomware called "Karma". Learn more about this novel cyber threat in this security advisory.

What is it? 

Initially discovered at the end of June 2021, Karma ransomware is a relatively new malware. Researchers from SentinelOne found that the individual developer, known by the name ‘Eugene’, is rapidly updating Karma and continuously adapting it to cutting edge ransomware techniques. There is a strong possibility that affected companies have paid the requested ransoms, based on the lack of comment activity from Karma Site_admin on dark web forums.

Who is at risk? 

Karma ransomware has been observed targeting various organizations across several sectors with no specific industry targets. Researchers say at least eight different companies have been affected by Karma between 2021-06-18 and 2021-06-25. So far, there have been no corporate data leaks. From this, we assume that the victims have paid the ransom or are in the process of negotiating payments to prevent data leaks.

Each of the eight concurrent versions of the ransomware seems to be improving and rapidly evolving to stay up to date with the latest ransomware techniques. This pace of evolution suggests that the developer, ‘Eugene’, is highly skilled and chooses victims carefully to target the most vulnerable.

How does Karma work? 

Karma ransomware prevents access to an organization’s data by encrypting files and systems. This is done through the following encryption process:


  1. Generate random Chacha20 key
  2. Encrypt file with Chacha20
  3. Encrypt Chacha20 key with hardcoded ECC public key
  4. Add encrypted key at the encrypted file
  5. Append “KARMA”


Once files and data have been encrypted by Karma, targeted organizations are given instructions on how to pay the ransom to prevent their information from being sold or released to the dark web.

How can I protect myself? 

A list of actionable items have been recommended by our partners at SentinelOne. These include:

  • Building staff awareness regarding phishing attacks, including best practices on downloading and installing apps, choosing strong passwords and not exposing them to other personal websites;
  • Creating offline backups;
  • Separating network subsystems, and ensuring each of them has its own firewalls and gateways;
  • Monitoring for large file uploads;
  • Adopting email security best practices, filtering out malicious file types (EXE, VBS, XLS with Macros), and executing them in a local sandbox.
  • Organizations that have been impacted by any ransomware attack should immediately contact Blackpanda’s expert ransomware response and negotiation specialists.
1. Stronger passwords:

Many of the most significant ransomware attacks that have occurred were due to simple passwords obtained through brute force attacks or dark web data breach sales. Ensure all employees use long-tail passwords that include symbols, numbers, and upper/lower case letters that are not affiliated with personally identifiable information like names, addresses, birthdays etc.

2. Activate multi-factor authentication:

Ensure every access point within your systems requires MFA. This provides an added layer of security and decreases the chance that a brute force attack will be able to access your data.

3. Adhere to the principle of least privilege:

The Principle of Least Privilege is the idea that any user, program, or process should have only the bare minimum privileges necessary to perform its function. The principle of least privilege works by allowing only enough access to perform the required job. In an IT environment, adhering to the principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application.

​4. Sweep out old user accounts and passwords:

Audit a clean sweep of current users and delete older usernames and passwords that have access to your critical infrastructure.

5. Update all software and security patches:

Software and security partners are constantly updating their software to keep up with the daily evolution of hacking technology. It is important for your organization to apply updates and patches whenever available.

6. Back up your systems and data offline:

Employ strong, frequent backups to have important files and systems recoverable in the event of an attack.

7. Implement an Endpoint Detection and Response (EDR) solution:

An EDR system can help detect threats that are within your system so that you can respond to them in the quickest way possible. EDR solutions like SentinelOne can better protect your environment from ransomware attacks and other threats.

8. Have a risk transfer solution and cyber IR plan in place

Sophisticated ransomware will be able to get past anti-virus protections and firewalls offered by outdated cyber defence systems. Having a proper IR (incident response) plan in place, recurring compromise assessments, and comprehensive cyber insurance coverage can help your organization best combat the constantly evolving threats in the cyber landscape. 

Interested in speaking to a DFIR specialist?

Contact Us

Trusted by the best to defend against and respond to cyber crises.

See our partners