The security expert slipstream/RoL has stumbled across a ransomware sample called Karma, which is targeting users disguised as a Windows optimization program named Windows-TuneUp. Moreover, this sample is software, which would potentially be spread by the pay-per-install software monetarization company when a user downloads and installs free software on their computers.
Researchers are constantly warning of how dangerous bundled software has become and what is worse is that it keeps evolving by the minute. When a user installs a free program that is monetized by this software monetization company, the chances are they will receive an offer for a Windows optimization program called Windows-TuneUp. The bad news is that the majority of people do not realize what kind of danger these programs pose and they believe that the tool will help optimize their machine ad advertised. However, things don’t go that way.
When a user runs the program, it displays a screen showing computer various statistics and other tools which should improve the overall computer performance… Supposedly. Moreover, if the users decide to check out the program`s official website, they will be greeted by a page which seems to be a legitimate one. However, while the victims are digging into Windows-TuneUp the tricking methods, what the malicious tool does in the background is encrypting all of their data on the PC and the connected drives. Only when the encryption is done and the ransom note it dropped do the users realize they have been fooled and infected with a ransomware.
Once executed, the Karma ransomware checks if the program is running on a virtual machine and, if so, it terminates the program and states it is not compatible with the computer. If a virtual machine is not detected, it connects to the C&C and gets the encryption key needed for the encryption process. Then, it scans all drives, network connected ones includes, searching for files to encrypt. It uses the AES encryption algorithm and appends the “.karma” extension at the end of all locked data.
For instance, a file named “test.jpg”, after being locked becomes “test.jpg.karma”. When the encryption process is complete, Karma drops a ransom note on the Desktop, named “# DECRYPT MY FILES #.html and # DECRYPT MY FILES #.txt”. Finally, the ransomware creates a Scheduled Task called pchelper, which automatically runs Windows-TuneUp.exe after is has been closed.
Luckily, the ransomware`s Command & Control server has already been taken down so no more victims will be infected even if the ransomware is still being spread. The main point here is that, usually, free software downloads are dangerous and the offers they present are fake. Experts recommend installing only programs which don’t conceal PUP or adware in them.
