Karma (MedusaLocker): The Ransomware That Strikes After It Owns the Network

Aegiron 11 mins0

Threat Name: Karma (MedusaLocker variant)
Discovery Date: January 15, 2026
Threat Category: Enterprise Ransomware with Data Exfiltration
Extortion Model: Dual-pressure (encryption + data leak)
Primary Targets: Mid-to-large enterprises
Encryption Method: Hybrid AES + RSA

Executive Summary

Karma ransomware is a sophisticated enterprise-focused ransomware operation observed in January 2026. Unlike opportunistic ransomware campaigns, Karma incidents demonstrate deliberate, patient intrusion tactics designed to maximize business disruption and extortion leverage.

The attackers do not immediately deploy ransomware. Instead, they gain access using stolen credentials, quietly explore the environment, steal sensitive data, disable backups, and only then launch encryption. By the time victims become aware, the breach has already escalated into both a ransomware event and a confirmed data breach.

Karma uses a dual-pressure extortion strategy. Victims are pressured not only by system unavailability due to encryption but also by credible threats to publicly release stolen data. This significantly increases legal, regulatory, and reputational risk.

What Happened

The incident began with attackers accessing the organization using legitimate credentials. Because the login appeared valid, no immediate alerts were triggered. Over the following days, the attackers moved freely within the environment, learning where critical systems and sensitive data were stored.

They focused on identifying file servers, backups, and administrative accounts. During this period, data was quietly copied out of the network. This activity blended in with normal traffic and went unnoticed.

Once the attackers confirmed that they had both sensitive data and the ability to disrupt recovery, they deployed the ransomware. Systems across the environment became inaccessible almost simultaneously. Ransom notes appeared on servers and workstations, informing the organization that files had been encrypted and data stolen.

At this point, the organization was facing:

  • Operational downtime
  • A confirmed data breach
  • A ransom demand with a deadline
  • Threats of public data exposure

How It Happened

Phase 1 – Initial Access

Karma operators typically gain access through identity compromise, not software exploits.

Common entry paths include:

  • Phishing emails that harvest VPN, email, or cloud credentials
  • Remote access portals without MFA
  • Reused passwords across services
  • Compromised third-party vendor accounts
  • Stolen OAuth tokens or API credentials in cloud environments

No malware is required at this stage. Attackers authenticate using real accounts.

Phase 2 – Establishing Foothold & Persistence

Once inside:

  • Attackers create scheduled tasks or services that appear legitimate
  • Persistence is placed in user-writable directories to evade detection
  • Native tools are used instead of custom malware

This phase is intentionally quiet.

Phase 3 – Internal Reconnaissance

Attackers enumerate:

  • Active Directory structure
  • Privileged groups
  • File servers and shares
  • Backup systems and snapshot locations
  • Cloud storage and identity roles

This information is used to plan lateral movement and backup disruption.

Phase 4 – Privilege Escalation & Lateral Movement

Techniques observed:

  • Credential harvesting from memory
  • Abuse of service accounts
  • Token impersonation
  • Admin share access
  • Remote execution via built-in management tools

The goal is domain-level or tenant-level control.

Phase 5 – Data Exfiltration

Before encryption, sensitive data is stolen.

Common data targeted:

  • HR and payroll data
  • Financial records
  • Legal documents
  • Customer databases
  • Internal email archives
  • Source code and intellectual property

Data is compressed, encrypted, and exfiltrated in chunks to avoid detection.

Phase 6 – Backup Disruption

Attackers attempt to remove recovery options:

  • Shadow copies deleted
  • Backup agents stopped
  • Snapshot retention reduced
  • Cloud backups disabled or encrypted

This ensures maximum leverage.

Phase 7 – Encryption & Extortion

The ransomware payload is deployed widely and quickly. Ransom notes are dropped across the environment, and victims are instructed to contact the attackers through provided channels.

The extortion phase begins immediately.

Payloads and Tools Used

Karma is not a single executable. It is a toolset.

Components include:

  • Initial access scripts
  • Reconnaissance scripts
  • Credential harvesting utilities
  • Data compression and transfer tools
  • Encryption payload
  • Persistence mechanisms
  • Ransom note generator

Most tools are either built-in OS utilities or lightly modified binaries to avoid signature detection.

Encryption Mechanics

Karma uses a hybrid encryption model:

  1. Each file is encrypted with a unique AES key
  2. AES keys are encrypted with the attacker’s RSA public key
  3. Encrypted AES keys are stored with the files
  4. Only the attacker’s private RSA key can decrypt them

This design:

  • Makes decryption without the key computationally infeasible
  • Prevents recovery via file comparison or key reuse
  • Ensures each victim and file is uniquely encrypted

Dual-Pressure Extortion Model

Karma operators apply pressure through:

  • System encryption and downtime
  • Threats to leak stolen data
  • Proof-of-leak samples
  • Countdown timers
  • Threats of increasing ransom amounts

Data leaks are often staged to escalate pressure.

Impacted Systems and Industries

Commonly impacted industries

  • Healthcare
  • Finance and insurance
  • Manufacturing
  • Legal services
  • Technology and SaaS
  • Education and research

Systems impacted

  • File servers
  • Domain controllers
  • Backup servers
  • Cloud storage
  • Email systems
  • ERP and accounting platforms

Indicators of Compromise (IOC Package)

File-Based IOCs

READ_KARMA.txt
KARMA_RECOVERY.html
HOW_TO_RESTORE_FILES.txt

Encrypted extensions:

.karma
.medusa
.karma_locked
.enc

Drop paths:

C:\ProgramData\karma\
C:\Users\<user>\AppData\Roaming\karma\

Process IOCs

karma.exe
svc.exe
winhost.exe
update.exe

Suspicious parent-child relationships:

powershell.exe → karma.exe
cmd.exe → karma.exe

Registry IOCs

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KarmaSvc
HKLM\SYSTEM\CurrentControlSet\Services\KarmaSvc

Scheduled Tasks

KarmaUpdate
WindowsTelemetrySvc

Backup Sabotage Commands

vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet

Identity & Log Indicators

  • Admin logins outside business hours
  • Service accounts used interactively
  • MFA disabled shortly before incident

Event IDs:

4624, 4672, 4728, 4732

SIEM Hunt Queries

Mass file modification

SELECT host, process_name, COUNT(file_path)
FROM file_events
WHERE action IN ('write','rename')
AND timestamp > NOW() - INTERVAL '5 MINUTES'
GROUP BY host, process_name
HAVING COUNT(file_path) > 300

Backup deletion

SELECT host, user, command_line
FROM process_events
WHERE command_line LIKE '%vssadmin%'
OR command_line LIKE '%wbadmin%'

Data exfiltration

SELECT source_host, SUM(bytes_sent)
FROM network_logs
WHERE direction='outbound'
GROUP BY source_host
HAVING SUM(bytes_sent) > baseline*3

EDR Behavioral Detections

  • Process encrypts hundreds of files rapidly
  • Unsigned binaries performing mass file writes
  • Backup services stopped unexpectedly
  • LSASS memory access by non-security tools
  • Persistence created outside standard paths

Root Cause Analysis

Common failures include:

  • MFA not enforced everywhere
  • Over-privileged accounts
  • Flat network architecture
  • Backups accessible from compromised accounts
  • Lack of outbound traffic monitoring
  • Insufficient identity anomaly detection

Incident Response Actions Taken / Recommended

Immediate

  • Isolate affected systems
  • Disable compromised accounts
  • Preserve forensic data
  • Disconnect backups

Short-Term

  • Rotate all credentials
  • Restore from offline backups
  • Rebuild compromised systems
  • Validate environment integrity

Long-Term

  • Enforce MFA universally
  • Implement immutable backups
  • Improve identity monitoring
  • Harden network segmentation
  • Conduct ransomware tabletop exercises

Final Takeaway

Karma ransomware represents a mature ransomware operation focused on identity abuse, data theft, and business impact, not just encryption. The real damage occurs before the ransomware is ever deployed.

Organizations that rely solely on antivirus or perimeter defenses are unlikely to detect this threat in time. Identity security, behavioral detection, and backup isolation are critical defenses.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.