karma

Karma is a ransomware group first observed in November 2021, operating a double-extortion model that combines data theft with encryption. The group primarily targets enterprises across various sectors, including healthcare, manufacturing, and technology, with confirmed victims in North America, Europe, and Asia. Karma is believed to be a rebrand or evolution of the FiveHands ransomware, itself derived from the earlier HelloKitty codebase, based on overlaps in encryption methods and ransom portal design. The ransomware appends the .KARMA extension to encrypted files and leaves ransom notes named KARMA-README.txt, directing victims to a Tor-based negotiation site. Initial access is typically obtained through compromised VPN credentials, exploitation of vulnerabilities in public-facing systems, and use of access brokers. Unlike some groups, Karma operators claim to avoid encrypting systems in healthcare emergency services, instead focusing on exfiltration and extortion.