.cesar Files Virus (Dharma) – Remove and Restore Data (Update 2017)

.cesar Files Virus (Dharma Ransomware) – Remove and Restore Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This post has been created to explain to you how to remove the new CrySiS/Dharma ransomware variant which was recently detected in the wild, using the .cesar file extension.

A new variant of the Dharma ransomware infection has been detected by malware researchers. This version uses a very similar file extension (.cesar) to the recently detected .cezar extension variant. The virus this time uses the e-mail btc2017@india.com for negotiating payments and it does not have any limits on how many files of your hard drive it will render temporary useless, as long as you pay a ransom in BTC as a form of online extortion. If your PC has been infected by the CrySiS/Dharma ransomware using the .cesar file extension, we strongly suggest you to read the following article thoroughly to learn how to remove this ransomware and try to restore .cesar encrypted files without paying any ransom.

Threat Summary

NameDharma .cesar Virus
TypeRansomware, Cryptovirus
Short DescriptionAnother new variant of Dharma ransomware, very similar to the recently detected one.
SymptomsEncrypts files on your computer with the AES cipher, adding the e-mail btc2017@india.com and .cesar as a file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Dharma .cesar Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Dharma .cesar Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.cesar Dharma Virus – Distribution

The Dharma .cesar virus is very similar to the original Dharma ransomware, primarily in how it infects and encrypts files. But let us discuss how the infection with this nasty virus takes place first. Since the .cesar variant may have been a part of the RaaS (ransomware-as-a-service) scheme which is quite frequent nowadays, it may not be spread by the same people who are behind the older Dharma ransowmare version. This is because the service itself sells the virus to people who spread it and take a percentage of the paid ransom from the victims, similar to how an affiliate network works.

This is why, to spread the .cesar virus, the cyber-criminals behind the threat may participate in different types of spam campaigns that aim to infect computers in various ways. For this, they are likely using different types of infection tools, like the following:

  • File joiners.
  • Obfuscators.
  • Droppers.
  • Downloader Trojan Horses.
  • Spamming softwares.
  • Pre-set e-mails from which to spam.
  • Online hosts, serving as distribution sites, like the following.

These tools may be combined in different methods of infection, depending on how much the ones infecting with the .cesar Dharma virus have invested in them. The cheapest and most effective method to infect victims with Dharma ransomware has so far been reported to be conducted via the so-called Necurs spam, which exists since 2016. The Necurs strategy is also very famous for spreading viruses, such as the newer Locky ransomware and several other variants. The strategy is the same – an archived e-mail attachment with either a brief message or no message at all, pretending to be legitimate receipt, invoice or other file that should be opened. The spam e-mails which may be sent to you carrying Dharma ransomware may appear like the following example:

Besides this method, other methods may also spread Dharma, like uploading it’s infection file online, posing as a fake installer of programs, games, fake patch, license activator or other type of software.

.cesar File Virus – Malicious Activity

After you have been infected with Dharma ransomware, the malware may connect to one of it’s many distribution websites, after which may download it’s payload files. Those files may pretend to be legitimate Windows processes, such as the following:

{random alpha-numerical name}
{a name of a program that has spelling mistakes, for example pecman instead of pacman}

The files may be dropped in multiple different Windows folders, among which may be the following:


When the virus has been activated it triggers it’s payload files as different processes in the Task Manager. The malicious files of .cesar Dharma ransomware have functions within them that provide the virus with administrative control over your infected computer. Once this control is assumed Dharma ransomware deletes the shadow volume copies on your computer by triggering the vssadmin command without you noticing it:

→ vssadmin delete shadows /for={volume} /oldest /all /shadow={ID of the Shadow} /quiet

In addition to this, Dharma also creates new registry entries in the registry sub-keys Run and RunOnce of Windows Registry Editor. This is done with the purpose of the virus running automatically when you start your PC. The sub-keys have the following locations:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

How Does .cesar Virus Encrypt Files?

The encryption of Dharma .cesar ransomwarenis conducted with the aid of the AES encryption algorithm. It generates a symmetric key after encryption which is then used for the decryption process. The tricky part is that a custom master key is required for the decryption and it is only available to the cyber-criminals and sent to you after you have paid a hefty ransom fee.

For the encryption process, the Dharma ransomware infection scans for the most commonly used file types, which are most of the following:


After Dharma encrypts the files, it naturally adds the .cesar file extension and the files appear in the following format:

→ {Encrypted File’s name}.id-{custom ID}.{e-mail of the crooks}.cesar

After the encryption, Dharma may display a brief ransom note, which may appear like the following:

“To decrypt files, write to my email btc2017@india.com”

Remove Dharma Virus and Restore .cesar Encrypted Files

If you want to remove the Dharma ransomware virus, we suggest that you follow the removal instructions below. They are designed to help you initially isolate the activity of Dharma and then remove it manually. But bear in mind that manual removal may be tricky, because the virus constantly changes and this is why it is recommended to use the power of the anti-malware removal software. It features regularly updated definitions that will help you remove the .cesar Dharma ransomware automatically and safely.

If you want to restore files that have been encrypted by this ransowmare, we advise you to try our alternative tools in step “2. Restore files encrypted by Dharma .cesar Virus” below. They are not 100% guarantee you will get your files back but with their aid, you may recover most of them.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:


  1. AvatarJesse K

    I was infected with this, and have the virus file and a few encrypted files available if you need samples. Has any progress been made with a decryption tool?

  2. Avatarthebitguru

    A friend’s server was also infected and can share samples for reference. Hopefully, someone can find a solution soon.

  3. AvatarJorge Oliveira Silva

    Some Real solution ?

  4. AvatarStephen

    What are you using to capture samples with? I’ve run 3 different AV tools looking for a sample that can be analyzed and none of them seem to be able to find the malware even though I have encrypted files with the .cesar extension.


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share