Keys for Dharma Ransomware Released

Decryption keys for the Dharma strain of ransomware have been released.

Victims of the Dharma strain of ransomware can now get their files back, free of charge.

Decryption keys for the ransomware were added to the Kaspersky Lab’s Rakhni decryptor tool Thursday morning.

The tool, available on—a site the company maintains with Europol, the Dutch National Police, and Intel Security, can also decrypt files encrypted by Chimera, Crysis, and the decryptor’s namesake, Rakhni.

It was assumed keys for the ransomware would surface sooner than later after a user posted a link to what’s believed to be the same keys in a forum post on Wednesday. The user, “gektar,” posted a Pastebin link that contained a C header file which contained the keys. The keys were deemed legitimate after they were analyzed by Kaspersky Lab researchers but its unclear why the user posted them or what their affiliation with the ransomware is.

Lawrence Abrams, who maintains BleepingComputer site and forum, said Wednesday there was a good chance the keys were valid since the keys for Crysis, the ransomware that Dharma is based on, were released on the forums the same way previously. When he tested it against a Dharma infection Thursday morning Abrams said the Rakhni decryptor worked “flawlessly.”

Dharma infections first began bubbling up last November when victims began reporting that files under their c:/ drive had been encrypted with “.dharma” appended to the end of the each files. In some cases the filenames were also reportedly changed to include an email address “<email>” Researchers connected the dots between Dharma and Crysis last fall after noticing some similarities in hex patterns at the footer of the files.

Kaspersky released the keys for Crysis, ransomware that began making the rounds in February 2016 – shortly after the ransomware TeslaCrypt was cracked, last November. The Crysis keys, like the Dharma keys, were first posted to a forum as a Pastebin link to a header file written in C.

Suggested articles


  • Bpm on

    Does anyone have lead on Cerber Ransomware? How to deal with it.
  • Nahuel on

    any chance something like that will be released to fix sage 2.0 infected files?
  • Major on

    Rakhni does not work (anymore). It reports processing errors while decrypting but first it states: password recovered ... The tool had admin rights.
    • Sergey on

      Hello! Could you please specify what strain of ransomware has encrypted your files.
    • M.Cihan Erdem on

      hi, what is the extension of your encrypted files ?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.