Victims of the Dharma strain of ransomware can now get their files back, free of charge.
Decryption keys for the ransomware were added to the Kaspersky Lab’s Rakhni decryptor tool Thursday morning.
— Anton Ivanov (@antonivanovm) March 2, 2017
The tool, available on nomoreransom.org—a site the company maintains with Europol, the Dutch National Police, and Intel Security, can also decrypt files encrypted by Chimera, Crysis, and the decryptor’s namesake, Rakhni.
It was assumed keys for the ransomware would surface sooner than later after a user posted a link to what’s believed to be the same keys in a BleepingComputer.com forum post on Wednesday. The user, “gektar,” posted a Pastebin link that contained a C header file which contained the keys. The keys were deemed legitimate after they were analyzed by Kaspersky Lab researchers but its unclear why the user posted them or what their affiliation with the ransomware is.
Lawrence Abrams, who maintains BleepingComputer site and forum, said Wednesday there was a good chance the keys were valid since the keys for Crysis, the ransomware that Dharma is based on, were released on the forums the same way previously. When he tested it against a Dharma infection Thursday morning Abrams said the Rakhni decryptor worked “flawlessly.”
Dharma infections first began bubbling up last November when victims began reporting that files under their c:/ drive had been encrypted with “.dharma” appended to the end of the each files. In some cases the filenames were also reportedly changed to include an email address “<email>@india.com.” Researchers connected the dots between Dharma and Crysis last fall after noticing some similarities in hex patterns at the footer of the files.
Kaspersky released the keys for Crysis, ransomware that began making the rounds in February 2016 – shortly after the ransomware TeslaCrypt was cracked, last November. The Crysis keys, like the Dharma keys, were first posted to a BleepingComputer.com forum as a Pastebin link to a header file written in C.