Karma Ransomware

What is Karma Ransomware?

Researchers have recently detected a very interesting ransomware infection. It is called Karma Ransomware. Unlike other similar threats that used to be quite prevalent (e.g. Cerber Ransomware and Locky Ransomware), it pretends to be a Windows optimization application Windows-TuneUp. Since it tries to convince users that it is a beneficial program for cleaning the computer and boosting its performance, it has a very convincing interface. Even though it does not differ much from legitimate applications the way it looks, users notice quickly that it does not work. It only keeps showing a pop-up window saying “This feature will be available soon in the next update” when users try to enable any of its options. Karma Ransomware displays an interface of Windows-TuneUp not without reason. Once it is opened, it starts encrypting files stored on the computer silently. It does that using AES, which is known to be one of the strongest encryption algorithms, so that it would be very hard or even impossible to unlock those files without the special key. Fortunately, the C&C servers of Karma Ransomware are down at the time of writing, so it is very likely that it does not work anymore and will not affect more users; however, if this threat has already encrypted your files, you should go to delete it from your system as soon as possible. Paying money to cyber criminals is not encouraged.testtesttest

What does Karma Ransomware do?

Even though Karma Ransomware pretends to be a legitimate application, it does not differ much from other ransomware infections the way it acts. Just like already existing threats, it illegally enters computers and then encrypts files. Unfortunately, it targets hundreds of different filename extensions, so it is very likely that the majority of your files will be locked after its entrance. Fortunately, it skips folders having such strings in their paths: \$windows.~bt\, \program files (x86)\, \drivers\, \windows\, \appdata\locallow\, \boot\, and others, which shows that it does not have an intention of ruining the Windows OS. Once Karma Ransomware finishes encrypting files, it places two files # DECRYPT MY FILES #.html and # DECRYPT MY FILES #.txt on Desktop. These files contain the ransom note. Since this infection is already dead at the time of writing, we cannot say what exactly will be written there. According to our specialists, there is basically no doubt that these files contain instructions on how to purchase the so-called decryptor to decrypt files. In most cases, this tool is not cheap, so if you have already been infected with Karma Ransomware, you should consider whether it is worth transferring money for the Karma Decryptor or not. Do not forget to take into consideration the fact that many users do not get anything from cyber criminals after paying money to them.

Karma Ransomware not only encrypts files and creates .html and .txt files on Desktop. It has been found that this infection also creates a new task called pchelper in %WINDIR%\System32\Tasks so that it could launch automatically again. On top of that, users can find four new registry keys created by this ransomware. As can be seen, from a technical perspective, this infection is quite sophisticated. Unfortunately, this also means that it will not be very easy to eliminate it from the system.

Where does Karma Ransomware come from?

Researchers working at anti-spyware-101.com have revealed that Karma Ransomware is spread via pay-per-install monetization companies. In other words, it is distributed in software bundles. Users usually see an offer to install Windows-TuneUp during the installation of a free program monetized by a monetization company. If a user agrees to install it, he/she allows a ransomware infection to enter the computer. In other words, users contribute to the entrance of Karma Ransomware to a great extent. It is not always that easy to prevent dangerous computer infections from entering the system, so security specialists suggest installing a trustworthy antimalware tool and keeping it enabled all the time.

How to delete Karma Ransomware

It is not a piece of cake to delete a ransomware infection from the system, especially when it not only creates new files, but also applies modifications to the system registry. We hope that our instructions will be useful for you, but if you do not find them very helpful either because you do not have much knowledge about computers, it is advisable to eliminate Karma Ransomware automatically. Use SpyHunter to make sure that even the tiniest threat is deleted from the system together with this ransomware infection.

Remove Karma Ransomware manually

  1. Tap Win+E.
  2. Type %USERPROFILE%\Desktop in the URL box to open the directory.
  3. Delete two files # DECRYPT MY FILES #.html and # DECRYPT MY FILES #.txt.
  4. Open %WINDIR%\System32\Tasks.
  5. Delete the task pchelper.
  6. Close Explorer and press Win+R on your keyboard.
  7. Enter regedit.exe and click OK.
  8. Delete the following registry keys (right-click on the registry key and select Delete):
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Windows-TuneUp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\pchelper
  1. Move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  2. Delete two Values belonging to Karma Ransomware: Saffron and Safron (select the Value and press Delete).
  3. Empty the Recycle bin.
100% FREE spyware scan and
tested removal of Karma Ransomware*

Leave a Comment

Enter the numbers in the box to the right *