New Karma Ransomware Gang likely a Nemty Rebrand

Security investigators discover the clues of the Karma ransomware existence just another development procedure in the anxiety that initiated as JSWorm, turn into Nemty, then Nefilim, Fusion, Milihpen, and most recently, Gangbang.

The identify Karma has been used by ransomware actors back in 2016, but there is no connection between that gang and the one that appeared this year. JSWorm initially came into the view in 2019, and went through a series of rebrands over the next two years, while always retaining code similarities that were enough for researchers to make the connection.

New-Karma-Ransomware-Gang-likely-a-Nemty-Rebrand-image1

Correlations Expanded and Deep

The report is based on the examination of eight samples taken from an equal number of ransomware attacks in June 2021, all having notable code similarities to Gangbang and Milihpen variants that come up around January 2021.

The extent of similarities ranges to the exclusion of folders, file types, and the debug messages used by the seemingly unrelated strains.

New-Karma-Ransomware-Gang-likely-a-Nemty-Rebrand-image2

Another noteworthy similarity can be spotted when conducting a “bindiff” on Karma and Gangbang samples, seeing an almost unchanged ‘main()’ function.

New-Karma-Ransomware-Gang-likely-a-Nemty-Rebrand-image3

From the perspective of the encryption scheme used, there has been an evolution across the samples, with the earlier ones using the Chacha20 encryption algorithm and the most recent samples switching to Salsa20.

Another change that was introduced along the way was to create a new thread for the enumeration and the encryption, possibly to achieve a more reliable outcome.

The authors of the malware have also added support for command line parameters on the latest versions.

All in all, the work on the malware and the tight compilation dates of the analyzed samples reflect the fact that Karma is currently under active development.

In terms of victim communication and the corruption method, Karma follows the typical approach of dropping ransom notes, stealing data from compromised systems, and following up for a double-extortion process.

Historically, Nemty targeted mostly Chinese firms in the engineering and manufacturing sector, leveraging exposed RDPs and published VPN exploits to infiltrate vulnerable networks.

Karma Could be a Limited rebrand

In a private discussion that our experts had with the researcher who signs the analysis, Antonis Therefore, we got the following assessment on Karma’s current state:

The Nemty onion leak page ‘Corporate Leaks’ currently is running on (Onion) version 2 which will be deprecated soon, and the last leak there was observed on the 20th of July. Karma’s leak page was created on the 22nd of May and the first leak happened on the 1st of September.

With the modern data at hand, the Karma ransomware and its onion pages resemble to be another rebrand of Nemty and Corporate leaks. Code-wise the main differences appear on the encryption algorithm, which is an area of experimentation for many ransomware authors.

Certainly, ‘Corporate Leaks’ has allowed dormant around the same time that Karma Leaks emerged as the group’s latest information leak portal.

Prominently, the current portal has also opened a short period of inactivity lately, with the most recent victim listed there being from 20 days ago. All that said, Karma could be just a short-term station in the restoration of a long-term ransomware performance from an organization that affects to be less than they are.

Leave a Reply