Kaspersky and ESET security companies have updated their decryption keys for the Dharma ransomware, thanks to following a Pastebin link.
This happened after a mysterious user named gektar posted a link to a Pastebin note on a tech support forum with all the decryption tools for the Dharma ransomware variants. With those decrypters, all victims who had their files encrypted by Dharma can now recover them.
No one knows who this gektar person is or how he has the keys but, supposedly, he had access to the ransomware`s source code. However, what actually matters is that the decryption tools are real and they can be used to unlock Dharma encrypted files.
Security experts from ESET and Kaspersky confirmed that the keys work. The two companies even updated their own Crysis decryption tool to work against Dharma as well.
Dharma was first detected in November last year. The ransomware is a descendant of an older ransomware strain – Crysis. Files encrypted by Dharma variants are pretty easy to notice as they have the “.[email_address].dharma” extension. The email address from the extension is the one what victims are supposed to use to contact the attacker.
What is also interesting is that, back in November, the Crysis decryption tools were also mysteriously dumped online and researchers were able to use them. This is why experts advise against deletion of the encrypted files if you fall victim to a ransomware infection. Sooner or later a decrypter will be available and if you have your locked data you will be able to free it.
Researchers are constantly working on developing decryption keys. Sometimes, authorities are able to find the Command and Control servers used by the cybercriminals and to release the decrypters. Other times, something like this happens and the tools just appear online.
And last but not least, don’t forget about NoMoreRansom.org where many security companies work together with law enforcement to fight against ransomware.