With all the malware being scattered all over the internet, Dharma ransomware’s decryption keys was leaked by someone online.
A lot of people have been infected by the Dharma ransomware and some have kept copies of their encrypted files. Lucky for them since it can now be restored for free. A decryption tool has now been created by security researchers since somebody has leaked the decryption keys for the said malware.
It was first discovered last November, and it was based on an earlier ransomware named Crysis. The malware is easy to recognize since their file extension has .[email_address].dharma on it as to where to email the malware developers.
A user named gektar published a link to a Pastebin post on BleepingComputer.com’s technical support forum. In which case, it has been said that it contained the decryption keys for all of its variants.
The same thing happened back in November with Crysis. Keys were also leaked leading to the development of a decryption tool.
There is no definite information about gektar and his reasons for leaking the keys. The name was just used to create on the forum whose main purpose is to publish the content containing the decryption keys.
Although there is no information about how the keys were obtained, but there as a C header file obtained. It is suggested that the person who leaked the keys had access to the source code.
It sounds too good to be true. But YES, the keys are real. It was verified by Kaspersky Lab and ESET that they work. They have updated their decryption tools for Crysis. Downloads at Kaspersky RakhniDecryptor and ESET CrysisDecryptor — to work for Dharma affected files, too.
This is a very good reminder to ransomware victims to keep their infected files although they decline to give in to the ransom demands.
Researchers sometimes find flaws in the encryption implementations of ransomware programs that allow them to break the encryption keys. Other times law enforcement authorities seize command-and-control servers used by ransomware gangs and release the decryption keys.
From time to time, like in this case, the keys find their way online due to unexplained leaks: Maybe a ransomware developer decides to close up shop and publish the keys, or maybe a hacker breaks into a rival gang’s servers and releases the keys to harm its operations. The point is: Hold onto those files, for months or even years if you need to.
It is important for malware victims to check for tools to fix them up at NoMoreRansom.org, Kaspersky, ESET and the like since they regularly update their tools to help others.