14 DAY TRIAL // Decryption keys for the Dharma ransomware have been dumped online in a move that will hopefully help out all those who have been infected by it and whose files are still locked up.
Well, yesterday, a user named gektar posted a link to a Pastebin note on the technical support forum of BleepingComputer.com. There, he claims, were all the decryption keys for the Dharma variants.
It's unclear just who this person is or why he'd do such a thing, or even how he got his hands on the keys, but there are clues indicating that he had access to the Dharma source code.
Regardless of who this is or what his purpose is, the keys are real, and that's what really matters. Researchers from Kaspersky Lab and ESET checked them, and they seem to work. The two security companies updated their Crysis decryption tools to work for the Dharma ransomware too.
Keep the files even if they're encrypted
Dharma was first noticed back in November, and it's a descendant of an older ransomware called Crysis. Files affected by this malware will have the extension.[email_address].dharma, so it's pretty easy to figure out what type of ransomware you've been infected with. The email address in question is the one where the attacker can be reached.
Interestingly, back in November, the decryption keys for Crysis were leaked online, and researchers were able to build up from there and help out people.
While prevention is always great, if you do fall victim to ransomware and decide against paying off the attackers, you might want to hold on to the encrypted files. At one point or another, a key is going to pop up and your files will be free again.
Sometimes, things like this happen, with the decryption keys ending up online with no real explanation. Other times, authorities will manage to seize the C&C servers used by ransomware gangs and release the decryption keys.
Then, there's also the helpful folks over at NoMoreRansom.org where security companies teamed up with law enforcement to help people decrypt their files.