KARLS Ransomware

The KARLS Ransomware is a new version of the Dharma Ransomware, an update to the Crysis Ransomware Ransomware-as-a-Service business. File-locker Trojans from this family encrypt your data securely so that it can't open, and can attack content such as documents, pictures and archives. Backup your work to reduce its vulnerability to encryption that happens automatically and use appropriate anti-malware software for removing the KARLS Ransomware, whose presence could correlate with other security issues.

Karlos Says Hello to Your Files

The next crisis against digital media from the Crysis Ransomware family is arising under the name of the KARLS Ransomware. The KARLS Ransomware belongs to a sequence of rapid releases from this Ransomware-as-a-Service group of threats, which includes the 'ungodianact1986@aol.com' Ransomware, the 'korvin0amber@cock.li' Ransomware, the 'backdata@qq.com' Ransomware, and older members like the 2017's Cobra Ransomware. Importantly, unlike the oldest branches, the KARLS Ransomware is sufficiently new that its method of locking files is irreversible without trusting the criminal's ransom-based services.

The KARLS Ransomware's defining feature is the same AES and RSA encryption that the rest of the Crysis Ransomware's members use for blocking media files, which includes any that they can access over local network connections. While AES, by itself, could have some potential for being decrypted by a third-party, the KARLS Ransomware's use of a second, RSA key that it uploads to the threat actor (along with some miscellaneous system information) keeps the 'unlocking' possibility in the criminal's hands. Although text documents and pictures are the most traditional forms of media to suffer encryption damage, malware experts also see members of this Trojan's family targeting other formats, from archives and spreadsheets to various databases.

The KARLS Ransomware is a Windows-based threat, and its admin may be circulating it through means not anticipated by this article. However, a majority of file-locking Trojans from the same family use brute-force attacks, spam e-mails, or remote-access vulnerabilities (such as open ports or RDP features) for gaining access and running their attacks. Business enterprises are more likely than random users of suffering attacks, but the systems of arbitrary individuals aren't immune.

Giving Karlos a Cold Reception

Besides disabling features that put their PCs at risk, such as Remote Desktop assistance or Word's macros, the users can protect themselves in other ways. Backing up files to a safe location that's external from the PC is an invaluable defense against the KARLS Ransomware's encryption. On average, Windows backups will no longer be available after the infection, but desperate users could doublecheck their Restore Points, in case a newly-introduced bug interrupts the KARLS Ransomware's deleting them.

E-mail attachments may pretend that they're delivering invoices, printer notifications, or messages from employees for hiding Trojan droppers with the KARLS Ransomware. Brute-force attacks, as well, make up a large part of file-locker Trojans' infection strategies, even though they're preventable by the users choosing their passwords and account names carefully. Anti-malware software can delete the KARLS Ransomware and detect it without issues, although this advantage is of little help in scenarios involving the threat actor's gaining access to the system beforehand.

The details of the KARLS Ransomware's ransoming demands aren't known to malware experts but are unlikely of being anything other than asking for hundreds of dollars in cryptocurrency. Rather than putting yourself in a situation of being tempted, protect your files first, and save money in the process.