Victims of Dharma Ransomware can now fix their data as hackers have leaked out decryption tools for files encrypted by the malware. The good news popped up last week after a user named gektar posted a link to a Pastebin note on BleepingComputer.com's technical support forum. According to gektar's post, the link he provided contains all decrypting tools necessary to fix files and computers lock up by all variants of the Dharma Ransomware. That immediately raised hope that all users affected by Dharma will soon be able to recover their lost data.
Dharma was spotted by researchers for the first time last November and the infection is relatively easy to recognize. Dharma appends the file extension "[email_address].dharma" to all the files that it encrypts, whereby the email address placed before ".dharma" is the address where the attackers can be contacted.
The confirmation that the decryption keys are real came not long after the post. Researchers from ESET and Kaspersky checked the provided tools and found out that they work for unlocking files affected by Dharma. Also, the two security companies have already updated their Crysis decryption tools to add the functionalities for removing Dharma Ransomware from infected computers. Experts still do not know who the person or people are who released the free decryption keys. However, they say that there are some clues that they have access to the malware's source code.
Crysis ransomware was the precursor of Dharma, and interestingly, back in November last year the decryption keys for Crysis leaked out in the same mysterious way as those for Dharma last week. All that suggests, on first place, that victims of any ransomware should never destroy the files that the malware has locked as there is always the chance that the decryption tools are released, or that researchers manage to find a way to recover them. It is possible that, like in the case of Dharma and Crysis, the keys just pop up out of nowhere without any explanation. The other possibility that can save the encrypted files is that researchers seize the hackers' Command-and-Control servers and find the decryption keys.
Prevention remains the best way to protect your PC from any ransomware attacks. Moreover, the events around Crysis and Dharma and the way the second threat followed up on the first one, could also suggest that the attackers have already developed a successor of the two threats and are just waiting for the right moment to put that new malware into action.