Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Karma Ransomware Removal – Restore Your Files (January 2017 Update)

stf-karma-ransomware-virus-total-detections-signature-name-windows-tuneup

A malware researcher has recently discovered the Karma ransomware cryptovirus. Apparently, the virus pretends to be a tool that is a tune up utility for Windows and is spread as freeware. The virus will encrypt your files and display a ransom note with instructions for payment. All encrypted files will have the .karma extension appended to them. To see how to remove Karma ransomware and how to try to restore your files, pay close attention to the very end of this .karma removal instructions article.

Update January 2017. Unfortunately, Karma ransomware continues to plague users’ computers. It’s highly likely that the cryptovirus will continue to be active. No decrypter has been released yet. After evaluating the success of the campaigns spreading Karma ransomware, cybercriminals may decide to update it and release a new version. We have seen this happening many times. To stay protected, back up your files regularly and keep your system guarded.

Threat Summary

Name Karma
Type Ransomware, Cryptovirus
Short Description The ransomware will encrypt your files and then display a ransom note with instructions for payment.
Symptoms The ransomware will encrypt files and place the extension .karma to all of them.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Karma

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Karma.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Karma Ransomware – Spread

The Karma ransomware could get inside your personal computer by utilizing different ways for spreading. The most common tactic for distributing the payload is with freeware and bundled packages. The ransomware uses a tune-up utility as a cover. The utility goes by the name of Windows TuneUp. The website spreading the TuneUp utility looked like the one of a legitimate software company spreading its product, as you can see in the picture right down here:

stf-karma-ransomware-virus-windows-tuneup-com-website-fake-program-utility

This website is now down and cannot be reached. Karma ransomware used to be downloaded from there but now the payload file could be around social media and file-sharing networks. Bundled setups and those of other freeware programs could contain the malicious files, too. Refrain from opening files from suspicious sources such as e-mails or links. Instead, perform a scan with a security tool and check their size and signatures beforehand. You should read the ransomware prevention tips from the topic in the forum.

Karma Ransomware – More About It

Karma ransomware cryptovirus has recently been found by a malware researcher that goes by the name of ‏@TheWack0lian. Your files will get encrypted and then receive the extension .karma to each of their names. When the Karma ransomware executes its payload, it creates the following entries in the Windows Registry:

→HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer “auth”

→HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “Saffron”= “%Desktop%\\# DECRYPT MY FILES #.html”

→HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “Safron”= “%Desktop%\\# DECRYPT MY FILES #.txt

That is done for the ransomware to achieve a higher level of persistence. These registry entries will make the virus start automatically with every boot of the Windows operating system. Your data will then become encrypted, and after that, the ransom note will show up on your desktop screen. The demand instructions are written in files called # DECRYPT MY FILES #.txt and # DECRYPT MY FILES #.html. That note will also load as the ransom message on your desktop screen right after the encryption process is complete.

You can see the ransom note in the image below:

stf-karma-ransomware-virus-ransom-note

The ransom note reads the following:

KARMA

################################################################

Is the content of the files that you looked for not readable?
It is normal because the data in your files have been encrypted.

Great!!!

You have turned to be a part of a big community #karma Ransomware.
Continue reading because this is the only way out.

################################################################

!!! If you are reading this message it means the software
!!! “karma Ransomware” has been removed from your computer.

################################################################

What is encryption?
—————-

Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.

To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.

But not only it.

It is required also to have the special decryption software (in your case “karma Decryptor” software) for safe and complete decryption of all your files and data.

################################################################

Everything is clear for me but what should I do?
——————————————–

The first step is reading these instructions to the end.
Your files have been encrypted with the “karma Ransomware” software; the instructions (“# DECRYPT MY FILES #.html”) in the folders with your encrypted files are not viruses, they will help you.

After reading this text the most part of people start searching the Internet the words the “karma Ransomware” where they find a lot of ideas, recommendations and instructions.

It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.

Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.
The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files.

When you make a puzzle but some items are lost, broken or not in its place – the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.

You should realize that any intervention of the third-party software to restore files encrypted with the “karma Ransomware” software may be fatal for your files.

There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.

For your information the software to decrypt your files (as well as the private key provided together) are paid products.

The ransom note reminds a lot like the one of CerberTear Ransomware.

Currently, the known Command&Control (C&C) servers associated the ransomware are not working. That means that if you are hit with this ransomware, paying the cybercriminals is futile, and you should NOT even be thinking of doing it. That will only aid them financially. Consider reading below to find out if you can restore your files.

The Karma ransomware encrypts files and appends the .karma extension to all of them. The encryption algorithm that is being used is AES. A list with file extensions that the virus seeks to encrypt can be seen below:

→.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3gp2, .3gpp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accda, .accdb, .accdc, .accde, .accdr, .accdt, .accdu, .accdw, .ace, .ach, .acr, .act, .adb, .ade, .adn, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .amr, .aoi, .apj, .apk, .arj, .arw, .asax, .ascx, .asf, .ashx, .asm, .asmx, .asp, .aspx, .asset, .asx, .atb, .au, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .bz, .bz2, .c, .caf, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .cshtml, .csl, .csproj, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .dochtml, .docm, .docx, .docxml, .dot, .dothtml, .dotm, .dotx, .drf, .drw, .dsw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .fdf, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fs, .fsi, .fsproj, .fsscript, .fsx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .gz, .h, .hbk, .hdd, .hpp, .htaccess, .html, .htpasswd, .ibank, .ibd, .ibz, .idx, .iff, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .ipsw, .iqy, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lha, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .lzh, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .master, .max, .mbx, .md, .mda, .mdb, .mdc, .mdf, .mdp, .mdt, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp2, .mp2v, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpeg, .mpg, .mpg, .mpga, .mpv, .mpv2, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .onepkg, .onetoc, .onetoc2, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pdfxml, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm, .pm!, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .pothtml, .potm, .potm, .potx, .ppam, .pps, .ppsm, .ppsm, .ppsx, .ppt, .ppthtml, .pptm, .pptm, .pptx, .pptxml, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .pwz, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r00, .r01, .r3d, .raf, .ram, .rar, .rat, .raw, .rax, .rdb, .re4, .resx, .rm, .rmm, .rmvb, .rp, .rpt, .rt, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .settings, .sh, .sldm, .sldx, .slk, .slm, .sln, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tax, .tbb, .tbk, .tbn, .tex, .tga, .tgz, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .utorrent, .vb, .vbe, .vbhtml, .vbox, .vbproj, .vbs, .vcf, .vcproj, .vcs, .vcxproj, .vdi, .vdx, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .vsix, .vss, .vst, .vsx, .vtx, .wab, .wad, .wallet, .war, .wav, .wb2, .wbk, .web, .wiz, .wm, .wma, .wmf, .wmv, .wmx, .wpd, .wps, .wsf, .wvx, .x11, .x3f, .xdp, .xis, .xla, .xla, .xlam, .xlk, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsb, .xlshtml, .xlsm, .xlsm, .xlsx, .xlt, .xltm, .xltm, .xltx, .xlw, .xlw, .xml, .xps, .xslt, .xxx, .ycbcra, .yuv, .zip

Source: BleepingComputer

The Karma cryptovirus is very likely to erase the Shadow Volume Copies from the Windows operating system by using the command given here:

→vssadmin.exe delete shadows /all /Quiet

Read on to find out what kinds of methods you can try to restore at least some of your files.

Remove Karma Ransomware and Restore .karma Files

If your computer got infected with the Karma ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Karma.

Manually delete Karma from your computer

Note! Substantial notification about the Karma threat: Manual removal of Karma requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Karma files and objects
2.Find malicious files created by Karma on your PC

Automatically remove Karma by downloading an advanced anti-malware program

1. Remove Karma with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Karma
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.