Karma targets Windows OS, masquerades as Windows optimization software named Windows-TuneUp, and is distributed through a pay-per-install software monetization company. Once installed, Karma displays a screen showing fake performance statistics to make victims believe they can optimize their system’s memory, remove junk files, and edit their registries. While the screen is open, Karma checks to see if it is running within a virtual machine. If no virtual machine is detected, it obtains the encryption key from its C2 server and then begins encrypting victims’ files on local drives and on connected network shares, appending .karma to the names of the encrypted files. Once finished, it drops a ransom note on the desktop named # DECRYPT MY FILES #.html and # DECRYPT MY FILES #.txt. Lastly, it creates a scheduled task named pchelper to maintain persistence. Fortunately, the C2 server associated with this ransomware has been discovered and removed, but it’s likely that other ransomware developers will begin using this method of distribution for future campaigns.
- Bleeping Computer provides more information about Karma here.
- The NJCCIC is not aware of any free decryption tools available for Karma.