Due to a breach believed to be in the form of Karma ransomware,
we would like to confirm the situation and provide a warning as follows.

Karma ransomware

The ransomware in question is called Karma and appears to be changing all files with file name.extension.KARMA.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• Based on the C++ console, a mutex is created internally with the name “KARMA” to prevent duplication, and a console-based window appears when operating. Attack targets include removable drives (USB and external hard drives), fixed drives (HDD and SSD), and drives added from the network. When completed, a specific image is created in a temporary folder and the desktop is replaced.

  
  [Figure 3 KARMA anti-duplicate mutex creation internal static code]

  
  [Figure 4 Static code executing ransomware and console screen during actual operation]

  
  [Figure 5 Desktop image created in temporary folder]

Infection results

The information file is created as <KARMA-ENCRYPTED.txt> in each folder, and the encrypted files are changed to <file name.extension.KARMA>.

[Figure 6 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 7 Block message]

Go to the Karma blocking video