Euro Security Watch with Mathew J. Schwartz

Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Karma Seeks Free Publicity to Fulfill Ransomware Destiny

Newcomer Wants Journalists to Publicize Victims, to Pressure Them Into Paying Ransom
Karma Seeks Free Publicity to Fulfill Ransomware Destiny
Ransom note left after Karma ransomware crypto-locks a Windows system (Source: Cyble)

A new and still little-known ransomware group has been pursuing a novel strategy to pressure victims into paying: Get journalists to try and name the businesses they've hit, to help pressure them into paying.

See Also: Live Webinar Tomorrow | A Buyers' Guide: What to Consider When Assessing a CASB

To wit, in a Wednesday email with a misspelled subject line - "They are hidding problems" - sent using the ProtonMail end-to-end encrypted email service, one Mel Smith told me that a "global medical device company," named in the email, had been hit by the Karma ransomware operation.

"We have a one single rule for you. Nothing from our communication should be posted. It should stay between us." 

"This ransomware group that hacked seems new. Not much is known about them on the internet," Smith said.

Helpfully, the message included a link to Karma's Tor-based data leaks site, adding more details about the attack on the medical device company. "Few TB of internal data were stolen: documents, NDAs, personal data, financial info, all internal communication and many other. I see this could affect a lot of people and partners worldwide, but they preferred to do nothing, carefully masking the data breach," Smith said.

"Sorry for the proton email, but I want to keep privacy as I have a close relationship to the company. Please, confirm that you receive that email."

Confirming receipt, I asked the sender if he was in fact a member of the Karma operation.

"It doesn't matter, Mathew," he responded. "The only thing you should understand we can provide you exclusive information about ransomware targets which are going to be published. For example listings, some particular documents on demand, emails or (maybe) even chat logs about the payments."

The sender added: "We have a one single rule for you. Nothing from our communication should be posted. It should stay between us."

In Pursuit of Free Publicity

Clearly, Karma is looking for free publicity.

"This is a common tactic among new ransomware groups. They are trying to bring attention to themselves and, therefore, their victims as an attempt to force the companies to pay," says Allan Liska, an intelligence analyst at threat intelligence firm Recorded Future. "There are so many extortion sites out there now that some of the smaller ones get lost in the shuffle so they don't get the same attention that a Clop or LockBit does."

Karma's data leak site, reachable only via the anonymizing Tor browser

"Multiple ransomware operations do press outreach in an attempt to further pressure victims," Brett Callow, a threat analyst at security firm Emsisoft, tells me. "Some also contact customers or business partners either by phone or by email."

Debut in July

Karma debuted recently. While there was ransomware of that name back in 2016, the new Karma began to show up in VirusTotal and other malware-spotting services in July, and only launched a leak site earlier this month, which so far lists few victims, Liska says.

Execution flow of Karma ransomware (Source: Cyble)

Threat intelligence firm Cyble in August published a report on Karma, noting that the group was using both onionmail.org and protonmail.com accounts as contact points for victims. Cyble says Karma's crypto-locking malware, written in C/C++, is designed to infect Windows systems.

Seeking Pressure Points

Doing media outreach to publicize victims is just one way ransomware operations have been attempting to better pressure victims into paying a ransom, and Karma isn't the first to pursue this strategy.

"We call each target as well as their partners and journalists; the pressure increases significantly," Unknown, a core member of the REvil - aka Sodinokibi - operation, told Recorded Future early this year. "And after that, if you start publishing files, well, it is absolutely gorgeous. But to finish off with DDoS is to kill the company."

Since late 2019, many ransomware operations have engaged in double extortion, which refers to threatening to name and shame victims and leak their data. Some practice so-called triple extortion, which refers to hitting their target nonpaying victims with distributed denial-of-service attacks. Quadruple extortion, meanwhile, refers to attackers contacting a victim's customers or business partners to tell them their data has been exposed, and yet the victim is refusing to pay the ransom required to safeguard their details.

Ever the innovators, some ransomware operations even use call centers to inform victims they've been hit, urging them to pay the ransom to restore operations.

Brand Building

Not just Unknown but other representatives from ransomware groups have regularly granted supposedly tell-all interviews to media outlets or appeared to spill their guts to threat intelligence firms.

Such efforts also appear to be designed to help ransomware-as-a-service operations build their brand, not least to recruit more affiliates. These are individuals who use their ransomware to infect victims, in return for a share of the ransom paid. With dozens of operations attacking victims, competition for affiliates remains fierce.

After Avaddon, Babuk, DarkSide and REvil appeared to go dark this past summer, other operations - including Conti, Groove and LockBit 2.0 - made a bid for their affiliates.

"We are in the first place in terms of the encryption speed and the speed of dumping the company data," a representative of the latter group, "LockBitSupp," a representative, said in a Russian-language interview with the Russian OSINT YouTube channel last month.

"The distribution and encryption processes are automated," and after LockBit's payload executes and hits the domain controller, "after the shortest period of time, the entire corporate network is encrypted," LockBitSupp boasted.

Many ransomware groups compete to recruit the most skilled affiliates for launching attacks, as well as initial access brokers for gaining access to victims, while targeting the biggest possible victims in pursuit of the largest ransoms. When it comes to competing with more established players for a bigger piece of the pie, clearly Karma will have its work cut out for it.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.