Updated: Karma Ransomware Virus (Removal Steps and Protection Updates)

The Karma ransomware is a dangerous malware made by a developer known as SAFFRON-WOLF that has recently appeared. Learn more more it and how to remove active infections from your computer by following our guide.


Name
Karma

File Extensions
.karma

Ransom
0.5 Bitcoins

Solution #1
You can skip all steps and remove Karma with the help of an anti-malware tool.

Solution #2
Karma ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below.

Distribution
Spam Email Campaigns, Exploit kits, malicious ads & etc.

Karma Ransomware Description

The Karma ransomware is a new threat developed by the criminal developer under the alias SAFFRON-WOLF which is of unknown origin. Upon infection it encrypts target user files and crafts a ransom note. In it the criminal operator extorts the ransom sum of 0.5 Bitcoins to restore access to the compromised files.
The full list of affected file types includes the following:

.1cd, .3dm, .3fr, .3g2, .3gp, .3gp2, .3gpp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accda, .accdv, .accdc, .accde, .accdr, .accdt, .accdu, .accdw, .ace, .ach, .acr, .adb, .ade, .adn, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .amr, .aoi, .apj, .apk, .arj, .arw, .asax, .ascx, .asf, .ashx, .asm, .asmx, .asp, .aspx, .asset, .asx, .atb, .au, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .bz, .bz2, .c, .caf, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfm, .cgm, .

ib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .cshtml, .csl, .csproj, .css, .csv, .d3bbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw,
.dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dngm .doc, .dochtml, .docm, .doccx, .docxml, .dot,
.dothtml, .dotm, .dotx, .drf, .drw, .dsw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb,
.fdf, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fs, .fsi, fsproj, .fsscript, .fsx, .fxg, .gbr, .gho,
.gif, .gray, .grey, .groups, .gry, .gz, .h, .hbk, .hdd, .hpp, .htaccess, .html, .htpasswd, .ibank. ibd, .ibz, .idx,
.iff, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .ipsw, .iqy, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .jpeg, .js, .json, .k2p,
.kc2, .kdbx, .kdc, .key, .kpdx, .hwm, .laccdb, .lbf, .lck, .ldf, .lha, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua,
.lzh, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .master, .max, .mbx, .md, .mda, .mdb,
.mdc, .mdf, .mdp, .mdt, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp2,
.mp2v, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpeg, .mpg, .mpg,. mpg, .mpg, .mpv, .mpv2, .mrw, .msf, .msg, .myd,
.nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf,
.oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .onepkg, .onetoc, .onetoc2,
.orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, pbd, .pcd, .pct, .pdb, .pdd,
.pdf, .pdfxml, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm\1, .pm, .pmi, .pmj, .pml, .pmm, .pmo,
.pmr, .pnc, .pnd, .png, .pnx, .pot, .pothtml, .potm, .potm, .potx, .ppam, .pps, .ppsm, .ppsm, .ppsx, .ppt,
.ppthtml, .pptm, .pptm, .pptx, .pptxml, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm,
.pwz, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r00, .r01, .r3d, .raf, .ram, .rar,
.rat, .raw, .rax, .rdb, .re4, .resx, .rm, .rm, .rmvb, .rp, .rpt, .rt, .rpt, ..rt, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe,
.sas7dbat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .settomgs, .sh, .sldm, .sldx, .slk, .slm, .sin, .sql, .sqlite,
.sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .ses, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std,
.sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tax, .tbb, .tbk, .tbn, .tex, .tga,
.vcs, .vcxproj, ,vdi, .vdx, .vhd, .vhdx, .vmdbk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .vsix, .vss, .vst, .vsx, .vtx,
.wab, .wad, .wallet, .war, .wav, .wb2, .wbk, .web, .wiz, .wm, .wma, .wmf, .wmv, .wmx, .wpd, .wps, .wsf, .wvx,
.x11, .x3f, .xdp, .xis, xla, .xla, .xlam, .xlk, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsb, .xlshtml, .xlsm, .xlsm, .xlsx,
.xlt, .xltm, .xltx, .xlw, .xml, .xps, .xslt, .xxx, .ycbcra, .yuv, .zip

In addition the Karma ransomware virus modifies some of the values stored in the Windows registry:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer “auth”
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “Saffron” = “%Desktop%\\# DECRYPT MY FILES #.html”
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “Safron” = %Desktop%\\# DECRYPT MY FILES # .txt

The two ransom notes that are created – # DECRYPT MY FILES in TXT and HTML format contain the following ransom message:

KARMA

Is the content of the files that you looked for not readable?
It is normal because the data in your files have been encrypted.
Great!!!
You have turned to be a part of a big community #karma Ransomware.
Continue reading because this is the only way out.

!!! If you are reading this message it means the software
!!! “karma Ransomware” has been removed from your computer.

What is encryption?
Encryption is a reversible modification of a information for security
reasons but providing full access to it for authorized users.
To become an authorized user and keep the modification absolutely
reversible (in other words to have a possibility to decrypt your files)
you should have an individual private key.
But not only it.
It is required also to have the special decryption software
(in your case “karma Decryptor” software) for safe and complete
decryption of all your files and data.

Everything is clear for me but what should I do?
The first step is reading these instructions to the end.
Your files have been encrypted with the “karma Ransomware”software; the
instructions (“#DECRYPT MY FILES #.html) on the desktop
with your encrypted files is not a virus, it will help you.
After reading this text the most part of people start searching in the
Internet the words “karma Ransomware” where they find a lot of
ideas recommendations an instructions.

The Karma Ransomware also has been found to skip all folders that cointain the following strings:

\$recycle.bin\
\$windows.~bt\
\boot\
\drivers\
\program files\
\program files (x86)\
\programdata\
\users\all users\
\windows\
\appdata\local\
\appdata\locallow\
\appdata\roaming\
\public\music\sample music\
\public\pictures\sample pictures\
\public\videos\sample videos\
\tor browser\

Karma Ransomware Distribution

Update: The security expert slipstream/RoL has discovered that the Karma Ransomware poses as a operating system optimization program called Windows-TuneUp. The samples were actually distributed via a pay-per install software source which generates income for the criminal operators. Such schemes use freeware software that are disguisesd as premium commercial software that requires a payment to be downloaded, installed or used.

The Karma ransomware is distributed mainly across English-speaking countries targeting both individual users and businesses. The usual infection methods are employed – spam email campaigns, Trojans and browser hijackers that serve the dangerous binary files.

karma-ransomware-note-bss-image

Karma Ransomware Removal

For a faster solution, you can run a scan with an advanced malware removal tool and delete Karma completely with a few mouse clicks.

STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.

    1) Hit WIN Key + R

Windows-key-plus-R-button-launch-Run-Box-in-Windows-illustrated

    2) A Run window will appear. In it, write “msconfig” and then press Enter
    3) A Configuration box shall appear. In it Choose the tab named “Boot
    4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
    5) Apply -> OK

Or check our video guide – “How to start PC in Safe Mode with Networking

STEP II: Show Hidden Files

    1) Open My Computer/This PC
    2) Windows 7

      – Click on “Organize” button
      – Select “Folder and search options
      – Select the “View” tab
      – Go under “Hidden files and folders” and mark “Show hidden files and folders” option

    3) Windows 8/ 10

      – Open “View” tab
      – Mark “Hidden items” option

    show-hidden-files-win8-10

    4) Click “Apply” and then “OK” button

STEP III: Enter Windows Task Manager and Stop Malicious Processes

    1) Hit the following key combination: CTRL+SHIFT+ESC
    2) Get over to “Processes
    3) When you find suspicious process right click on it and select “Open File Location
    4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process
    5) Next you should go folder where the malicious file is located and delete it

STEP IV: Remove Completely Karma Ransomware Using SpyHunter Anti-Malware Tool

Manual removal of Karma requires being familiar with system files and registries. Removal of any important data can lead to permanent system damage. Prevent this troublesome effect – delete Karma ransomware with SpyHunter malware removal tool.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

STEP V: Repair Windows Registry

    1) Again type simultaneously the Windows Button + R key combination
    2) In the box, write “regedit”(without the inverted commas) and hit Enter
    3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
    4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Further help for Windows Registry repair

STEP VI: Recover Encrypted Files

    1) Use present backups
    2) Restore your personal files using File History

      – Hit WIN Key
      – Type “restore your files” in the search box
      – Select “Restore your files with File History
      – Choose a folder or type the name of the file in the search bar

    restore-your-personal-files-using-File-History-bestecuritysearch

      – Hit the “Restore” button

    3) Using System Restore Point

      – Hit WIN Key
      – Select “Open System Restore” and follow the steps

restore-files-using-system-restore-point

STEP VII: Preventive Security Measures

    1) Enable and properly configure your Firewall.
    2) Install and maintain reliable anti-malware software.
    3) Secure your web browser.
    4) Check regularly for available software updates and apply them.
    5) Disable macros in Office documents.
    6) Use strong passwords.
    7) Don’t open attachments or click on links unless you’re certain they’re safe.
    8) Backup regularly your data.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *