Karma, a recently discovered ransomware, is leveraging journalists to name the institutions targeted by the ransomware. It is an attempt to force victim organizations into paying the ransom to save their reputation.

What has happened?

Recently, an email from a user named Mel Smith was sent to a journalist from DataBreachToday, describing an attack on a global medical devices firm.
  • The email claimed to have information regarding a medical device-making firm targeted by Karma ransomware.
  • The message inside the email body had a link to Karma's Tor-based data leak site. This site had additional information regarding the attack.
  • The attackers claimed to have stolen a few terabytes of internal data such as documents, NDAs, and personal data. Further, the email claims that the firm is hiding the data breach.

Goals for expansion and publicity

According to researchers, such tactics are not unique as various groups have been observed trying similar tactics to pressurize their victims.
  • Looking for exposure to media for publicizing victims has already been tried by REvil group in March this year. 
  • Karma was discovered recently and started to show up in VirusTotal and other malware-spotting services in July. Additionally, it launched a leak site just a month ago with a list of few victims. So probably now this group is also trying to expand its business to the next levels.


Experts opine that Karma, with its new tactic, can be a potential threat to major organizations. For better protection, organizations are recommended to increase staff awareness about phishing attacks, create offline backups, and monitor large file uploads.

Cyware Publisher