Yesterday, I wrote about how someone posted in the BleepingComputer.com forums the alleged master decryption keys for the Dharma Ransomware. This was done in the same manner that the keys for Crysis were release, which Dharma is based on.
Kaspersky has tested the keys and has determined that they are indeed legitimate and can be used to encrypt Dharma encrypted files. These keys have been included in their RakhniDecryptor, which I have tested against a Dharma infection. The decryptor worked flawlessly!
For those who have been infected by the Dharma ransomware and still have files that are encrypted, you can use the guide below to decrypt the files for free. If you need help decrypting your files, feel free to ask in the Dharma Ransomware Help & Support Topic.
Update 3/2/17 10:08 AM EST: Right after I posted this article, I saw that ESET also released an updated decryptor that support the Dharma Ransomware. More info here.
Victims of the Dharma ransomware can be identified by their files being encrypted and renamed to the format of [filename].[email_address].dharma. For example, a recent variant would have a file named test.jpg renamed and encrypted as test.jpg.[email@example.com].dharma. An example of a folder of encrypted files is seen below:
Some other variants that have previously been seen include:
.[firstname.lastname@example.org].dharma .[email@example.com].dharma .[firstname.lastname@example.org].dharma .[email@example.com].dharma .[firstname.lastname@example.org].dharma .[email@example.com].dharma .[firstname.lastname@example.org].dharma .[email@example.com].dharma .[firstname.lastname@example.org].dharma .[email@example.com].dharma .[firstname.lastname@example.org].dharma .[email@example.com].dharma .[firstname.lastname@example.org].dharma .[email@example.com].dharma .[firstname.lastname@example.org].dharma .[email@example.com].dharma .[SupportForYou@india.com].dharma .[firstname.lastname@example.org].dharma .[email@example.com].dharma
To decrypt files encrypted by the Dharma ransomware, you need to first download the RakhniDecryptor. Once downloaded, you should extract the program and run it. Once running it will display the main screen as shown below.
Before starting, you need to make sure that you are using version 18.104.22.168, which supports the Dharma ransomware. To check the version of the RakhniDecryptor you can click on the About link at the bottom left of the above screen. This will display a small window that shows the version of RakhniDecryptor.
If you are using version 22.214.171.124 or greater, then you should click on the Start scan button and RakhniDecryptor will prompt you to select an encrypted file. Browse to a folder that contains Dharma encrypted files and select a .Word, Excel, PDF, music, or image file. Do not select a text file as it cannot be used to decrypt the rest of your files.
Once you have selected a file, click on the Open button. RakhniDecryptor will now scan the entire computer for encrypted files and decrypt them.
This process can take quite a long time, so please be patient while it scans your computer and decrypts the files.
When it has finished, you will be at a completed screen as shown below.
You can then click on the details link to see a full list of dharma files decrypted by the decryptor.
You can now close the RakhniDecryptor and should be able to access your files again.
It should be noted that even though your files are now decrypted, the original encrypted files will be left behind.
To clean up the backup encrypted files, you can use CryptoSearch to move them to another folder that can be archived or deleted.