Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Karma Ransomware Group Likely A Nemty Rebrand

New Karma Ransomware Group Likely A Nemty Rebrand

Threat analysts at Sentinel Labs have found evidence of the Karma ransomware being just another evolutionary step in the strain that started as JSWorm, became Nemty, then Nefilim, Fusion, Milihpen, and most recently, Gangbang.

The name Karma has been used by ransomware actors back in 2016, but there is no relation between that group and the one that emerged this year.

JSWorm first appeared in 2019, and went through a series of rebrands over the next two years, while always retaining code similarities that were enough for researchers to make the connection. 

Also Read: How does ransomware happen? Here are 7 ways to prevent them

The evolution of JSWorm
The evolution of JSWorm, Source: Kaspersky

Similarities go wide and deep

The report is based on the analysis of eight samples taken from an equal number of ransomware attacks in June 2021, all having notable code similarities to Gangbang and Milihpen variants that appeared around January 2021.

The extent of similarities ranges to the exclusion of folders, file types, and the debug messages used by the seemingly unrelated strains.

Various functional similarities between the two strains.
Various functional similarities between the two strains.
Source: Sentinel Labs

Another noteworthy similarity can be spotted when conducting a “bindiff” on Karma and Gangbang samples, seeing an almost unchanged ‘main()’ function.

Also Read: Ways to protect HR data and avoid penalties for data breaches

Similarities in 'main()' function
Similarities in ‘main()’ function
Source: Sentinel Labs

From the perspective of the encryption scheme used, there has been an evolution across the samples, with the earlier ones using the Chacha20 encryption algorithm and the most recent samples switching to Salsa20.

Another change that was introduced along the way was to create a new thread for the enumeration and the encryption, possibly to achieve a more reliable outcome.

The authors of the malware have also added support for command line parameters on the latest versions.

All in all, the work on the malware and the tight compilation dates of the analyzed samples reflect the fact that Karma is currently under active development.

In terms of the victim communication and the extortion method, Karma follows the typical approach of dropping ransom notes, stealing data from compromised systems, and following up for a double-extortion process. 

Historically, Nemty targeted mostly Chinese firms in the engineering and manufacturing sector, leveraging exposed RDPs and published VPN exploits to infiltrate to vulnerable networks. 

Karma could be a temporary rebrand

In a private discussion that BleepingComputer had with the researcher who signs the analysis, Antonis Terefos, we got the following assessment on Karma’s current state:

The Nemty onion leak page ‘Corporate Leaks’ currently is running on (Onion) version 2 which will be deprecated soon, and the last leak there was observed on 20th of July. Karma’s leak page was created on 22nd of May and first leak occurred on the 1st of September. 

With the current data at hand, the Karma ransomware and its onion pages appears to be another rebrand of Nemty and Corporate leaks. Code-wise the main differences appear on the encryption algorithm, which is an area of experimentation for many ransomware authors. 

Indeed, ‘Corporate Leaks’ has gone dormant around the same time that Karma Leaks appeared as the group’s new data leak portal.

Notably, the new portal has also entered a short period of inactivity lately, with the most recent victim listed there being from 20 days ago.

All that said, Karma could be just a short-term station in the continuation of a long-term ransomware operation from a group that pretends to be less than they really are.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us