.cesar Files Virus (Dharma) – Remove and Restore Data (Update 2017)

.cesar Files Virus (Dharma Ransomware) – Remove and Restore Data

This post has been created to explain to you how to remove the new CrySiS/Dharma ransomware variant which was recently detected in the wild, using the .cesar file extension.

A new variant of the Dharma ransomware infection has been detected by malware researchers. This version uses a very similar file extension (.cesar) to the recently detected .cezar extension variant. The virus this time uses the e-mail [email protected] for negotiating payments and it does not have any limits on how many files of your hard drive it will render temporary useless, as long as you pay a ransom in BTC as a form of online extortion. If your PC has been infected by the CrySiS/Dharma ransomware using the .cesar file extension, we strongly suggest you to read the following article thoroughly to learn how to remove this ransomware and try to restore .cesar encrypted files without paying any ransom.

Threat Summary

NameDharma .cesar Virus
TypeRansomware, Cryptovirus
Short DescriptionAnother new variant of Dharma ransomware, very similar to the recently detected one.
SymptomsEncrypts files on your computer with the AES cipher, adding the e-mail [email protected] and .cesar as a file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Dharma .cesar Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Dharma .cesar Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.cesar Dharma Virus – Distribution

The Dharma .cesar virus is very similar to the original Dharma ransomware, primarily in how it infects and encrypts files. But let us discuss how the infection with this nasty virus takes place first. Since the .cesar variant may have been a part of the RaaS (ransomware-as-a-service) scheme which is quite frequent nowadays, it may not be spread by the same people who are behind the older Dharma ransowmare version. This is because the service itself sells the virus to people who spread it and take a percentage of the paid ransom from the victims, similar to how an affiliate network works.

This is why, to spread the .cesar virus, the cyber-criminals behind the threat may participate in different types of spam campaigns that aim to infect computers in various ways. For this, they are likely using different types of infection tools, like the following:

  • File joiners.
  • Obfuscators.
  • Droppers.
  • Downloader Trojan Horses.
  • Spamming softwares.
  • Pre-set e-mails from which to spam.
  • Online hosts, serving as distribution sites, like the following.

These tools may be combined in different methods of infection, depending on how much the ones infecting with the .cesar Dharma virus have invested in them. The cheapest and most effective method to infect victims with Dharma ransomware has so far been reported to be conducted via the so-called Necurs spam, which exists since 2016. The Necurs strategy is also very famous for spreading viruses, such as the newer Locky ransomware and several other variants. The strategy is the same – an archived e-mail attachment with either a brief message or no message at all, pretending to be legitimate receipt, invoice or other file that should be opened. The spam e-mails which may be sent to you carrying Dharma ransomware may appear like the following example:

Besides this method, other methods may also spread Dharma, like uploading it’s infection file online, posing as a fake installer of programs, games, fake patch, license activator or other type of software.

.cesar File Virus – Malicious Activity

After you have been infected with Dharma ransomware, the malware may connect to one of it’s many distribution websites, after which may download it’s payload files. Those files may pretend to be legitimate Windows processes, such as the following:

{random alpha-numerical name}
{a name of a program that has spelling mistakes, for example pecman instead of pacman}
notepad.exe
svchost.exe
setup.exe
patch.exe
update.exe
software-update.exe

The files may be dropped in multiple different Windows folders, among which may be the following:

%AppData%
%Temp%
%Roaming%
%Common%
%system32%
%Local%
%LocalLow%

When the virus has been activated it triggers it’s payload files as different processes in the Task Manager. The malicious files of .cesar Dharma ransomware have functions within them that provide the virus with administrative control over your infected computer. Once this control is assumed Dharma ransomware deletes the shadow volume copies on your computer by triggering the vssadmin command without you noticing it:

→ vssadmin delete shadows /for={volume} /oldest /all /shadow={ID of the Shadow} /quiet

In addition to this, Dharma also creates new registry entries in the registry sub-keys Run and RunOnce of Windows Registry Editor. This is done with the purpose of the virus running automatically when you start your PC. The sub-keys have the following locations:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

How Does .cesar Virus Encrypt Files?

The encryption of Dharma .cesar ransomwarenis conducted with the aid of the AES encryption algorithm. It generates a symmetric key after encryption which is then used for the decryption process. The tricky part is that a custom master key is required for the decryption and it is only available to the cyber-criminals and sent to you after you have paid a hefty ransom fee.

For the encryption process, the Dharma ransomware infection scans for the most commonly used file types, which are most of the following:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

After Dharma encrypts the files, it naturally adds the .cesar file extension and the files appear in the following format:

→ {Encrypted File’s name}.id-{custom ID}.{e-mail of the crooks}.cesar

After the encryption, Dharma may display a brief ransom note, which may appear like the following:

“To decrypt files, write to my email [email protected]

Remove Dharma Virus and Restore .cesar Encrypted Files

If you want to remove the Dharma ransomware virus, we suggest that you follow the removal instructions below. They are designed to help you initially isolate the activity of Dharma and then remove it manually. But bear in mind that manual removal may be tricky, because the virus constantly changes and this is why it is recommended to use the power of the anti-malware removal software. It features regularly updated definitions that will help you remove the .cesar Dharma ransomware automatically and safely.

If you want to restore files that have been encrypted by this ransowmare, we advise you to try our alternative tools in step “2. Restore files encrypted by Dharma .cesar Virus” below. They are not 100% guarantee you will get your files back but with their aid, you may recover most of them.

Manually delete Dharma .cesar Virus from your computer

Note! Substantial notification about the Dharma .cesar Virus threat: Manual removal of Dharma .cesar Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Dharma .cesar Virus files and objects
2.Find malicious files created by Dharma .cesar Virus on your PC

Automatically remove Dharma .cesar Virus by downloading an advanced anti-malware program

1. Remove Dharma .cesar Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Dharma .cesar Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

4 Comments

  1. Jesse K

    I was infected with this, and have the virus file and a few encrypted files available if you need samples. Has any progress been made with a decryption tool?

    Reply
  2. thebitguru

    A friend’s server was also infected and can share samples for reference. Hopefully, someone can find a solution soon.

    Reply
  3. Jorge Oliveira Silva

    Some Real solution ?

    Reply
  4. Stephen

    What are you using to capture samples with? I’ve run 3 different AV tools looking for a sample that can be analyzed and none of them seem to be able to find the malware even though I have encrypted files with the .cesar extension.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.