Reportedly, the source code of the Dharma/CrySiS ransomware has been put up for sale on two separate darknet forums this weekend, and the cost is a mere $2,000. The reason why this is far too low for the particular ransomware is that we’re talking about one of the most robust strains available out there, featuring a perfect implementation of a strong encryption algorithm that researchers haven’t been able to break since its release in 2016. Dharma has troubled thousands of victims and already extorted more than $24 million in payments.
Dharma’s authors used its technical excellence to set up a lucrative RaaS (ransomware as a service) business, managing to take the strain to second place only after Ryuk. Many of the actors who picked up Dharma used their own iterations of the strain. At the same time, the original author continued to push updates, and Dharma was gradually adjusted to become more effective when hitting high-profile targets. Even after the eventual leak of the master-keys of one of Dharma’s forks, Phobos, the chances of having Dharma unlocked remained as low as 50%. Phobos and Dharma together accounted for about 20% of the total ransomware infections that occurred in Q4 2019, so we’re talking about actively used strains and not just a niche strain.
All of this gives you an overview of why the Dharma source code would be so valuable to white-hat researchers, as reverse-engineering the decryption key could now become possible. The source code is the “raw” programming language instructions that pass through a code compiler to become executable binaries. So, it is the “recipe” for creating programs, revealing all secret ingredients that cannot be deduced solely by analyzing the resulting files, as well as any potential flaws in the code. So now this is where the researchers will focus now.
So far, Dharma has been one of the reasons why people were advised to keep offline backups and never execute files from untrustworthy sources. From those who opted to pay the Dharma ransomware actors these years, only about 12% got the promised decryption keys back. All that said, if you have suffered a Dharma infection, you are advised to wait a while, as the situation has suddenly taken an unexpected positive turn. It is now likely that a Dharma decryptor will be released in the upcoming weeks or months, so stay tuned.