Inactive ransomware operator
← All groupsKarma
7 victims indexed · first seen 5 years ago · last activity 5 years ago
7
Victims indexed
#225 of 348 tracked operators
<1m
Active period
Oct 2021 → Oct 2021
—
Countries hit
At a glance
- Status
- inactive
- First seen
- 5 years ago
- Last activity
- 5 years ago
- Onion sites
- 1 known endpoint
About
Karma is a relatively obscure ransomware group that emerged in October 2021 with primarily financial motivations, having claimed seven documented victims since its first observed activities. The group's origin and potential affiliations remain largely undocumented in public threat intelligence reporting, with limited information available from major security vendors and law enforcement agencies regarding their operational structure or whether they operate as a Ransomware-as-a-Service model. Due to the limited public documentation available from reputable sources such as CISA, FBI, or established security research firms, specific details regarding Karma's attack methodology, initial access vectors, encryption techniques, and extortion tactics have not been comprehensively analyzed or reported in open-source intelligence. The group has not been associated with any widely publicized high-profile attacks or significant law enforcement actions that have generated detailed public reporting from authoritative sources. Current intelligence suggests the group remains relatively inactive or operates at a scale that has not attracted significant attention from major threat intelligence organizations, with their operational status and recent activities remaining unclear based on available public documentation.
References
9 linksExternal sources curated by the MISP threat-intel community.
- ransomlook.io/group/karma
- blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/
- blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware
- news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728
- news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
- sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/
- sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/
- symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf
- youtube.com/watch?v=hgz5gZB3DxE
Timeline
1 months2021-10-01T00:00:00+00:002021-10-01T00:00:00+00:00
MITRE ATT&CK
63 techniques · 15 tacticsTactics
CollectionCommand And ControlCredential AccessDefense ImpairmentDiscoveryExecutionExfiltrationImpactInitial AccessLateral MovementPersistencePrivilege EscalationReconnaissanceResource DevelopmentStealth
Techniques
- T1003.001LSASS Memory
- T1005Data from Local System
- T1021.001Remote Desktop Protocol
- T1027.015Compression
- T1036.004Masquerade Task or Service
- T1036.005Match Legitimate Resource Name or Location
- T1041Exfiltration Over C2 Channel
- T1047Windows Management Instrumentation
- T1059.001PowerShell
- T1059.006Python
- T1071.001Web Protocols
- T1072Software Deployment Tools
- T1074Data Staged
- T1078Valid Accounts
- T1078.002Domain Accounts
- T1078.004Cloud Accounts
- T1082System Information Discovery
- T1087.002Domain Account
- T1098Account Manipulation
- T1102Web Service
- T1105Ingress Tool Transfer
- T1110Brute Force
- T1110.001Password Guessing
- T1110.004Credential Stuffing
- T1113Screen Capture
- T1114.002Remote Email Collection
- T1119Automated Collection
- T1123Audio Capture
- T1125Video Capture
- T1133External Remote Services
- T1190Exploit Public-Facing Application
- T1199Trusted Relationship
- T1204.002Malicious File
- T1213.002Sharepoint
- T1219.002Remote Desktop Software
- T1484.001Group Policy Modification
- T1485Data Destruction
- T1486Data Encrypted for Impact
- T1490Inhibit System Recovery
- T1547.001Registry Run Keys / Startup Folder
- T1552.002Credentials in Registry
- T1560.001Archive via Utility
- T1561.001Disk Content Wipe
- T1561.002Disk Structure Wipe
- T1564.003Hidden Window
- T1566Phishing
- T1572Protocol Tunneling
- T1583.001Domains
- T1583.003Virtual Private Server
- T1583.004Server
- T1583.006Web Services
- T1585.001Social Media Accounts
- T1585.002Email Accounts
- T1587.001Malware
- T1588.001Malware
- T1588.002Tool
- T1589Gather Victim Identity Information
- T1595.002Vulnerability Scanning
- T1651Cloud Administration Command
- T1657Financial Theft
- T1679Selective Exclusion
- T1684.001Impersonation
- T1686.003Windows Host Firewall
Recent victims
Loading…
Onion infrastructure
1 known- http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion
Source
Updated 5 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.