Bad karma! Ransomware piggybacks on free software downloads

Beware the fake Windows-TuneUp program, and other suspicious downloads.

Bad karma! Ransomware piggybacks on free software downloads

A ransomware sample is piggybacking off of free software downloaded from the internet to encrypt the files of unsuspecting users.

A researcher by the name of slipstream/RoL discovered the ransomware, which goes by the name "Karma."

Other ransomware samples have masqueraded as Pokémon Go apps or IT security software solutions in the past. They've done so to disguise themselves so that they trick users into thinking they're benign programs.

Karma is no different, which is why it's donned the mask of a Windows optimization program known as Windows-TuneUp.

Windows tuneup

All that remains is for the ransomware to catch users off-guard. It does this by bundling its fake Windows-TuneUp program with other downloadable software available on the web.

A pay-per-install software monetization company does all the heavy lifting. As Lawrence Abrams of Bleeping Computer explains:

"If a user downloads and installs a free program that is monetized by this software monetization company, they would possibly be greeted with an offer for a Windows optimization program called Windows-TuneUp. While many people know these types of programs are not ones you want on your computer, there are unfortunately many who do not realize this. These people would then accept the offer thinking they are getting a program that will help optimize their slow computer."

Upon successful installation, Karma covertly checks to see if it's running on a virtual machine. If it is, it terminates. If it isn't, it connects to its command and control (C&C) server, retrieves some encryption keys, scans all drives (including network drives), and begins encrypting hundreds of different file types.

When all is said and done, the ransomware appends .karma to each affected filename before displaying its ransom note.

Karma message

Game over.

Fortunately, the command and control server is offline as of this writing. If Karma infects a victim and reaches out to its C&C, it therefore won't receive a response in the form of encryption keys, meaning it can't encrypt a victim's data.

That's great... but only insofar as Karma is concerned. No doubt there are other ransomware samples that are currently implementing this same technique. If there aren't right now, you can bet other ransomware will be soon in the future.

So what are users to do? They need to take a hard look at what they're downloading onto their computers. What types of programs are they downloading? Are they made by trusted developers? From which sites are they downloading that software? It's important that users answer all of these questions to determine if they're potentially putting themselves at risk.

As a general rule of thumb, users should think twice before downloading free or cheap(er) software from sketchy websites made by untrusted developers. If they disagree, they should in the very least never EVER accept an offer to download software that comes bundled with those programs.

You never know what might be lurking in them....

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

No comments yet.

Leave a Reply