Sentinel Labs: Karma ransomware group exploits the JSWorm legacy. The malware seems am evolution of Nemty, Nefilim, Fusion, Milihpen and Gangbang. If victims don’t pay, stolen info finish on a data leak site

Karma is a new ransomware group who probably exploits the JSWorm legacy: Nemty, Nefilim, Fusion, Milihpen and, most recently, Gangbang. It has been discovered by Sentinel Labs cybersecurity experts. The ransom notes are base64-encoded in the binary and dropped on the victim machine with the filename “KARMA-AGREE.txt” or, in later samples, “KARMA-ENCRYPTED.txt”. Each sample observed offers three contact emails, one for each of the mail providers onionmail, tutanota, and protonmail. In each sample, the contact emails are unique, suggesting they are specific communication channels per victim. The notes contain no other unique ID or victim identifier, as sometimes seen in notes used by other cybercrime groups. In common with other operators, however, the Karma ransom demand threatens to leak victim data if the victim does not pay. The address of a common leaks site where the data will be published is also given in the note.