The master key to unlock the Dharma ransomware has been posted to a forum on the site Bleeping Computer. The code has been verified and Kaspersky Labs has added it to their Rakhni decryptor tool available on the No More Ransom website. ESET has also added the key to its ransomware unlock tools.
This is not the first time ransomware keys have been made public. Last year the keys for both TeslaCrypt and Crysis were made public enabling users to recover their files for free. What is interesting is that Dharma is a relatively new ransomware. It first appeared in last 2016 and it is not known how successful it has been in infecting machines.
Dharma is just one of several pieces of ransomware that is based on the highly successful Crysis ransomware. Last year, when the master key for Crysis was released, security companies speculated that this was due to an internal falling out by the developers. It led to five of the ransomware variants built using its code being decrypted. The release of the Dharma key takes this to six.
Whose keys will be next?
This is an interesting question. Ransomware is a very lucrative business for cybercriminals. Unlock keys are priced in Bitcoin which continues to trade close to its all-time high of $1,280. This is creating a problem for ransomware owners in setting a price that people are going to pay.
Attacks on individuals have aimed at a price of between $100 and $500 with businesses paying substantially more. As Bitcoin has increased in value, cybercriminals are having to adjust their pricing. Without this, users are likely to refuse to pay and this is beginning to happen. The advice from law enforcement has always been not to pay. The problem for users is not paying means losing access to their files.
As the keys to ransomware start to get leaked there is hope for those infected. They can hold off paying in the hope the master key for the ransomware that has infected them will be the next to be leaked. At the same time there is a concerted effort by security researchers to crack other keys. A lot of that research is being targeted at those ransomware products that are poorly written. This makes the keys relatively easy to work out and decryptor tools can be created.
Ransomware has been successful for cybercriminals for a while now. It is estimated that it has made them in excess of $1 billion dollars in the last 12 months alone. This is far from the total cost to businesses. They still have to clean, verify and check all their machines. There is evidence that some ransomware owners are selling details of their victims to other cybercriminals. These wait a while and then attack the victims again.
The good news here is that Dharma is no longer a threat. Anyone infected who has not paid can now recover their files.