Menu
Free decryption tools now available for Dharma ransomware

Free decryption tools now available for Dharma ransomware

Someone leaked the decryption keys for the program online

Computer users who have been affected by the Dharma ransomware and have held onto their encrypted files can now restore them for free. Researchers have created decryption tools for this ransomware strain after someone recently leaked the decryption keys.

Dharma first appeared in November and is based on an older ransomware program known as Crysis. It's easy to recognize files affected by it because they will have the extension: .[email_address].dharma, where the email address is the one used by the attacker as a point of contact.

On Wednesday, a user named gektar published a link to a Pastebin post on the BleepingComputer.com technical support forum. The post, he claimed, contained the decryption keys for all Dharma variants.

Interestingly, the exact same thing happened back in November with the keys for Crysis, Dharma's predecessor, allowing researchers to create decryption tools for it.

It's not clear who gektar is or what his or her reasons were for leaking the Dharma keys. The username appears to have been created on the forum just for this purpose and has had no other activity since then.

There's also no information about how the keys were obtained in the first place. However, they were included in a C header file, which could suggest that the leaker had access to the ransomware program's source code.

The good news is that the leaked keys are real, and researchers from Kaspersky Lab and ESET verified they work. The two companies have updated their Crysis decryption tools -- downloads at Kaspersky RakhniDecryptor and ESET CrysisDecryptor -- to work for Dharma affected files, too.

This should serve as a reminder to ransomware victims to keep a copy of their affected files, even if they decide not to give into attackers' ransom demands. Researchers sometimes find flaws in the encryption implementations of ransomware programs that allow them to break the encryption keys. Other times law enforcement authorities seize command-and-control servers used by ransomware gangs and release the decryption keys.

From time to time, like in this case, the keys find their way online due to unexplained leaks: Maybe a ransomware developer decides to close up shop and publish the keys, or maybe a hacker breaks into a rival gang's servers and releases the keys to harm its operations. The point is: Hold onto those files, for months or even years if you need to.

It's a good idea to check the tools section of the NoMoreRansom.org website regularly. The website is maintained by a coalition of security companies and law enforcement agencies and is frequently updated with new information and decryption tools.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments