Yesterday, I wrote about how someone posted in the BleepingComputer.com forums the alleged master decryption keys for the Dharma Ransomware.  This was done in the same manner that the keys for Crysis were release, which Dharma is based on.

Kaspersky has tested the keys and has determined that they are indeed legitimate and can be used to encrypt Dharma encrypted files. These keys have been included in their RakhniDecryptor, which I have tested against a Dharma infection. The decryptor worked flawlessly!

For those who have been infected by the Dharma ransomware and still have files that are encrypted, you can use the guide below to decrypt the files for free. If you need help decrypting your files, feel free to ask in the Dharma Ransomware Help & Support Topic.

Update 3/2/17 10:08 AM EST: Right after I posted this article, I saw that ESET also released an updated decryptor that support the Dharma Ransomware. More info here.

How to Decrypt Dharma Encrypted Files Using RakhniDecryptor

Victims of the Dharma ransomware can be identified by their files being encrypted and renamed to the format of [filename].[email_address].dharma. For example, a recent variant would have a file named test.jpg renamed and encrypted as test.jpg.[tombit@india.com].dharma. An example of a folder of encrypted files is seen below:

Dharma Encrypted Files
Dharma Encrypted Files

Some other variants that have previously been seen include:

.[3angle@india.com].dharma
.[amagnus@india.com].dharma
.[base_optimal@india.com].dharma
.[bitcoin143@india.com].dharma
.[blackeyes@india.com].dharma
.[doctor.crystal@mail.com].dharma
.[dr_crystal@india.com].dharma
.[emmacherry@india.com].dharma
.[google_plex@163.com].dharma
.[mr_lock@mail.com].dharma
.[opened@india.com].dharma
.[oron@india.com].dharma
.[payforhelp@india.com].dharma
.[savedata@india.com].dharma
.[singular@india.com].dharma
.[suppforhelp@india.com].dharma
.[SupportForYou@india.com].dharma
.[tombit@india.com].dharma
.[worm01@india.com].dharma

To decrypt files encrypted by the Dharma ransomware, you need to first download the RakhniDecryptor. Once downloaded, you should extract the program and run it. Once running it will display the main screen as shown below.

RakhniDecryptor
RakhniDecryptor

Before starting, you need to make sure that you are using version 1.17.17.0, which supports the Dharma ransomware. To check the version of the RakhniDecryptor you can click on the About link at the bottom left of the above screen. This will display a small window that shows the version of RakhniDecryptor.

About Screen
About Screen

If you are using version 1.17.17.0 or greater, then you should click on the Start scan button and RakhniDecryptor will prompt you to select an encrypted file. Browse to a folder that contains Dharma encrypted files and select a .Word, Excel, PDF, music, or image file. Do not select a text file as it cannot be used to decrypt the rest of your files.

Select a Dharma Encrypted File
Select a Dharma Encrypted File

Once you have selected a file, click on the Open button. RakhniDecryptor will now scan the entire computer for encrypted files and decrypt them.

Scanning for Dharma Encrypted Files
Scanning for Dharma Encrypted Files

This process can take quite a long time, so please be patient while it scans your computer and decrypts the files.  

When it has finished, you will be at a completed screen as shown below.

Decryption Completed
Decryption Completed

You can then click on the details link to see a full list of dharma files decrypted by the decryptor.

Scan Results Page
Scan Results Page

You can now close the RakhniDecryptor and should be able to access your files again.

It should be noted that even though your files are now decrypted, the original encrypted files will be left behind.

Decrypted Files
Folder of Decrypted Files

To clean up the backup encrypted files, you can use CryptoSearch to move them to another folder that can be archived or deleted.