Sentinel Labs threat experts discovered proof that the Karma ransomware is merely another mutation of the strain that began as JSWorm, evolved into Nemty, then Nefilim, Fusion, Milihpen, and Gangbang.
Ransomware perpetrators used the moniker Karma in 2016, but there isn’t any connection between that gang and the one that surfaced this year.
JSWorm debuted in 2019 and underwent various rebranding for the next 2-years, but the code remained identical enough for researchers to trace the dots.
The findings are based on examining eight samples collected from an equal number of ransomware operations in June 2021. All of them have significant coding similarities with Gangbang and Milihpen versions that first surfaced in January 2021.
The similarity extends to excluding directories, file formats, and debug messages used by apparently irrelevant strains.
Another striking resemblance may be seen when comparing Karma and Gangbang samples using “bindiff,” which reveals a nearly identical ‘main()’ function.
There has been a development in the encryption technique employed among the samples, with the older ones leveraging the Chacha20 encryption method and the most current ones moving to Salsa20.
Another adjustment made along the road was the creation of a separate thread for the enumeration and encryption, which may have resulted in a more trustworthy result. On the most recent versions of the virus, the developers have included support for command-line arguments.
Overall, the malware’s progress and the compressed compilation dates of the examined samples indicate that Karma is still in active development.
Karma uses the standard strategy of dropping ransom notes, stealing data from infected computers, and following up for a double-extortion process when it comes to victim communication and extortion techniques.
In the past, Nemty primarily targeted Chinese engineering and manufacturing businesses, infiltrating weak networks through open RDPs and publicly available VPN vulnerabilities.