Researchers have found evidence that Karma ransomware is an evolved or rebranded version of a long chain consisting of multiple malware variants. Although the research was mainly focused on the comparison between Karma and Gangbang/Milihpen variants, it suggested that the chain started as JSWorm that became Nemty, Nefilim, Fusion, Milihpen, and Gangbang.

What has happened?

Recently, Sentinel Labs released a report based on eight samples of Karma ransomware, taken from various ransomware attacks in June. All the samples had some kind of relationship with Gangbang/Milihpen variants that were observed in January.
  • All these samples have some similarities in the form of exclusion of folders, file types, and debug messages.
  • Another similarity was spotted while performing a comparison (using bindiff command) on Karma and Gangbang samples, using an almost similar main() function.

The ever-evolving Karma

Besides these similarities with Gangbang and Milihpen, researchers identified an incremental update among various versions of Karma, which tells the story about how it is evolving gradually.
  • While the earlier versions used the Chacha20 encryption algorithm, the latest ones shifted to Salsa20.
  • Another update was the creation of a new thread for enumeration and encryption for reliable results.
  • Furthermore, the developers of ransomware added support for command line parameters in the recent versions.

Is Karma the new Nemty?

During a private discussion with BleepingComputer, researchers revealed some additional information that helped them establish a link between Nemty and Karma.
  • The Nemty onion leak page (called Corporate Leaks) is based on (Onion) version 2, which will get deprecated soon.
  • At the same time, Karma’s leak page (called Karma Leaks) was created on 22 May and the first leak was spotted on 1 September. 
  • This gradual fade-out of Nemty and the rise of Karma led researchers to suspect that Karma and its leak site are actually a rebrand of Nemty and the corresponding leak site.


It looks like ransomware groups are following the new trend of rebranding themselves to start fresh. The reason could be to increase their clout among their partners or to avoid scrutiny from law enforcement. This suggests that the associated threat actors are actively making investments in the upkeep of these malware variants and may continue to do so in near future as well.

Cyware Publisher