Bad karma! Ransomware piggybacks on free software downloads

Beware the fake Windows-TuneUp program, and other suspicious downloads.

David bisson
David Bisson
@
@DMBisson

Bad karma! Ransomware piggybacks on free software downloads

A ransomware sample is piggybacking off of free software downloaded from the internet to encrypt the files of unsuspecting users.

A researcher by the name of slipstream/RoL discovered the ransomware, which goes by the name “Karma.”

Other ransomware samples have masqueraded as Pokémon Go apps or IT security software solutions in the past. They’ve done so to disguise themselves so that they trick users into thinking they’re benign programs.

Sign up to our free newsletter.
Security news, advice, and tips.

Karma is no different, which is why it’s donned the mask of a Windows optimization program known as Windows-TuneUp.

Windows tuneup

All that remains is for the ransomware to catch users off-guard. It does this by bundling its fake Windows-TuneUp program with other downloadable software available on the web.

A pay-per-install software monetization company does all the heavy lifting. As Lawrence Abrams of Bleeping Computer explains:

“If a user downloads and installs a free program that is monetized by this software monetization company, they would possibly be greeted with an offer for a Windows optimization program called Windows-TuneUp. While many people know these types of programs are not ones you want on your computer, there are unfortunately many who do not realize this. These people would then accept the offer thinking they are getting a program that will help optimize their slow computer.”

Upon successful installation, Karma covertly checks to see if it’s running on a virtual machine. If it is, it terminates. If it isn’t, it connects to its command and control (C&C) server, retrieves some encryption keys, scans all drives (including network drives), and begins encrypting hundreds of different file types.

When all is said and done, the ransomware appends .karma to each affected filename before displaying its ransom note.

Karma message

Game over.

Fortunately, the command and control server is offline as of this writing. If Karma infects a victim and reaches out to its C&C, it therefore won’t receive a response in the form of encryption keys, meaning it can’t encrypt a victim’s data.

That’s great… but only insofar as Karma is concerned. No doubt there are other ransomware samples that are currently implementing this same technique. If there aren’t right now, you can bet other ransomware will be soon in the future.

So what are users to do? They need to take a hard look at what they’re downloading onto their computers. What types of programs are they downloading? Are they made by trusted developers? From which sites are they downloading that software? It’s important that users answer all of these questions to determine if they’re potentially putting themselves at risk.

As a general rule of thumb, users should think twice before downloading free or cheap(er) software from sketchy websites made by untrusted developers. If they disagree, they should in the very least never EVER accept an offer to download software that comes bundled with those programs.

You never know what might be lurking in them….


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.