Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
Karma Seeks Free Publicity to Fulfill Ransomware Destiny
Newcomer Wants Journalists to Publicize Victims, to Pressure Them Into Paying RansomA new and still little-known ransomware group has been pursuing a novel strategy to pressure victims into paying: Get journalists to try and name the businesses they've hit, to help pressure them into paying.
See Also: How Active Directory Security Drives Operational Resilience
To wit, in a Wednesday email with a misspelled subject line - "They are hidding problems" - sent using the ProtonMail end-to-end encrypted email service, one Mel Smith told me that a "global medical device company," named in the email, had been hit by the Karma ransomware operation.
"This ransomware group that hacked seems new. Not much is known about them on the internet," Smith said.
Helpfully, the message included a link to Karma's Tor-based data leaks site, adding more details about the attack on the medical device company. "Few TB of internal data were stolen: documents, NDAs, personal data, financial info, all internal communication and many other. I see this could affect a lot of people and partners worldwide, but they preferred to do nothing, carefully masking the data breach," Smith said.
"Sorry for the proton email, but I want to keep privacy as I have a close relationship to the company. Please, confirm that you receive that email."
Confirming receipt, I asked the sender if he was in fact a member of the Karma operation.
"It doesn't matter, Mathew," he responded. "The only thing you should understand we can provide you exclusive information about ransomware targets which are going to be published. For example listings, some particular documents on demand, emails or (maybe) even chat logs about the payments."
The sender added: "We have a one single rule for you. Nothing from our communication should be posted. It should stay between us."
In Pursuit of Free Publicity
Clearly, Karma is looking for free publicity.
"This is a common tactic among new ransomware groups. They are trying to bring attention to themselves and, therefore, their victims as an attempt to force the companies to pay," says Allan Liska, an intelligence analyst at threat intelligence firm Recorded Future. "There are so many extortion sites out there now that some of the smaller ones get lost in the shuffle so they don't get the same attention that a Clop or LockBit does."
"Multiple ransomware operations do press outreach in an attempt to further pressure victims," Brett Callow, a threat analyst at security firm Emsisoft, tells me. "Some also contact customers or business partners either by phone or by email."
Debut in July
Karma debuted recently. While there was ransomware of that name back in 2016, the new Karma began to show up in VirusTotal and other malware-spotting services in July, and only launched a leak site earlier this month, which so far lists few victims, Liska says.
Threat intelligence firm Cyble in August published a report on Karma, noting that the group was using both onionmail.org and protonmail.com accounts as contact points for victims. Cyble says Karma's crypto-locking malware, written in C/C++, is designed to infect Windows systems.
Seeking Pressure Points
Doing media outreach to publicize victims is just one way ransomware operations have been attempting to better pressure victims into paying a ransom, and Karma isn't the first to pursue this strategy.
"We call each target as well as their partners and journalists; the pressure increases significantly," Unknown, a core member of the REvil - aka Sodinokibi - operation, told Recorded Future early this year. "And after that, if you start publishing files, well, it is absolutely gorgeous. But to finish off with DDoS is to kill the company."
Since late 2019, many ransomware operations have engaged in double extortion, which refers to threatening to name and shame victims and leak their data. Some practice so-called triple extortion, which refers to hitting their target nonpaying victims with distributed denial-of-service attacks. Quadruple extortion, meanwhile, refers to attackers contacting a victim's customers or business partners to tell them their data has been exposed, and yet the victim is refusing to pay the ransom required to safeguard their details.
Ever the innovators, some ransomware operations even use call centers to inform victims they've been hit, urging them to pay the ransom to restore operations.
Brand Building
Not just Unknown but other representatives from ransomware groups have regularly granted supposedly tell-all interviews to media outlets or appeared to spill their guts to threat intelligence firms.
Such efforts also appear to be designed to help ransomware-as-a-service operations build their brand, not least to recruit more affiliates. These are individuals who use their ransomware to infect victims, in return for a share of the ransom paid. With dozens of operations attacking victims, competition for affiliates remains fierce.
After Avaddon, Babuk, DarkSide and REvil appeared to go dark this past summer, other operations - including Conti, Groove and LockBit 2.0 - made a bid for their affiliates.
"We are in the first place in terms of the encryption speed and the speed of dumping the company data," a representative of the latter group, "LockBitSupp," a representative, said in a Russian-language interview with the Russian OSINT YouTube channel last month.
"The distribution and encryption processes are automated," and after LockBit's payload executes and hits the domain controller, "after the shortest period of time, the entire corporate network is encrypted," LockBitSupp boasted.
Many ransomware groups compete to recruit the most skilled affiliates for launching attacks, as well as initial access brokers for gaining access to victims, while targeting the biggest possible victims in pursuit of the largest ransoms. When it comes to competing with more established players for a bigger piece of the pie, clearly Karma will have its work cut out for it.