Following the release of decryption keys this Wednesday, security researchers have developed a free Dharma ransomware decryptor. It is now possible for businesses and individuals who have had their files encrypted by Dharma ransomware to unlock their files without having to pay a ransom.
Dharma ransomware has not been one of the most prevalent ransomware threats. There have been nowhere near as many infections as the likes of CryptXXX, Locky, or Samsa ransomware. Those ransomware variants, along with hundreds of others, are still being used to attack businesses and individuals and no free decryptors are yet available for those infections.
Dharma ransomware first appeared in November 2016, having been developed from Crysis ransomware. The decryption keys for Crysis were also released online, allowing security researchers to develop a free decryptor.
It is unclear why the decryption keys for the ransomware variant was leaked online, although the good news is that for now at least, Dharma is no more. The keys can be used to unlock all versions of the ransomware for free. The keys were published on Pastebin on Wednesday by an individual with the handle gektar. Nothing is known about gektar as the handle appeared to have been created for the sole purpose of publishing the Dharma decryption keys.
Typically, ransomware decryption keys are published when cybercriminals shut down their operations and start using other ransomware variants. This could also be a case of one cybercriminal gang disrupting the operations of another. However, the former appears more likely as the person who posted the decryption keys had access to the ransomware source code.
Encryption with Dharma ransomware is easy to identify from the file extension that is added to encrypted files. All locked files have their extensions replaced with .dharma. If you have been affected, you can download the free Dharma Ransomware decryptor from the No More Ransom project on this link.
The No More Ransom website should be the first port of call if your computer has been infected by any form of ransomware. Decryptors for a wide range of ransomware variants are published on the site. Currently, the main ransomware families for which decryptors are available are: Crysis, Marsjoke, Polyglot, Wildfire, Chimera, Teslacrypt, Shade, Cpoinvault, Rannoh and Rakhni.