KARLS Ransomware

By GoldSparrow in Ransomware

The KARLS Ransomware is an encryption ransomware Trojan that combines elements of two well-known ransomware families, Crysis and Dharma. Several variants of this hybrid ransomware family have appeared since Fall 2018. The KARLS Ransomware variant was first observed on February 14, 2019, and carries out a typical version of these attacks, encrypting the victims' files and then demanding a ransom payment in exchange for a decryption key.

Symptoms of a KARLS Ransomware Attack

The KARLS Ransomware is typically delivered via corrupted spam email attachments, often in the form of Microsoft Office files with damaged embedded scripts. The KARLS Ransomware uses a strong encryption algorithm to target the user-generated files in its attack, which may affect the files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The KARLS Ransomware will mark each file it encrypts in its attack by adding the file extension '.id-[8 random chars].[karlosdecrypt@outlook.com].KARLS' to each file's name. Once the KARLS Ransomware has finished encrypting the victim's files, the KARLS Ransomware will demand a ransom payment from the victim. To do this, the KARLS Ransomware will deliver two ransom note files, a text file named 'FILES ENCRYPTED.txt' and an HTA file named 'karlosdecrypt@outlook.com.HTA.' The KARLS Ransomware's ransom notes display the following message on the victim's computer:

'All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail: karlosdecrypt@outlook
Write this ID in the title of your message <8 random characters>
In case of no answer in 24 hours write us to these emails: karlosdecrypt24@airmail.cc
You have to pay for decryption in Bitcoins. The price depends on how fast you write us. After payment, we will send you the decryption tool that will decrypt all your files.'

Previous variants in the KARLS Ransomware's family of ransomware demand ransoms of several hundred dollars to be paid using Bitcoin or other digital currencies. Malware analysts strongly recommend that computer users avoid paying these ransoms or interacting with the criminals responsible for the KARLS Ransomware attack in any way.

Protecting Your Data from Threats Like the KARLS Ransomware

The best protection against threats like the KARLS Ransomware is to have the means to restore your files by yourself, without having to interact with the criminals, which will take away their leverage. Because of this, computer users that have backup copies of all of their data and keep these backups stored in a safe location can defend themselves against a ransomware attack. Apart from file backups, a reliable security program can be used to intercept the KARLS Ransomware before it carries out its attack and remove this threat from an infected computer.


My computer was encrypted by KARLS. If anybody is interested I can send pairs of unencrypted/encrypted files for comparison, if useful.

The encryptor is payload.exe. I think I can undelete it and send also.

My PC has been infected with KARL and all data has been encrypted
will SpyHunter clean the virus and restore all files


Most Viewed