.java Files Virus (Dharma Ransomware) - Remove and Restore Files

.java Files Virus (Dharma Ransomware) – Remove and Restore Files

This article aims to help you remove the newly discovered variant of Dharma ransomware virus and show you how you can try and restore as many files, encrypted with .java extension as possible without having to pay ransom to the cyber-criminals behind it.

New variant of Dharma ransomware virus has been detected by malware researchers. The virus uses the .java extension and a unique identification number (for example id-3293991412412.java) which it adds to the files that are encrypted by it. The ransomware also drops a ransom note, which further aims to extort the victims of the virus into paying a hefty ransom fee in order to get access to their encrypted files and make them openable again. In the event that your computer has been infected with this variant of Dharma ransomware, we recommend that you read this article in order to learn how to remove the .java files virus from your computer and try to restore encrypted files.

Threat Summary

Name.java Dharma Virus
TypeRansomware, Cryptovirus
Short DescriptionNew variant of Dharma/CrySiS ransomware family. Uses encryption to make important files on infected PC’s no longer openable and then extorts the victim for payment to get the files back.
SymptomsEncrypts documents, images, videos and other important files and adds the .java file extension after their filename and original extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .java Dharma Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .java Dharma Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update April 2018 – .java Has a New Version Which Increased Infection Rate

The .java iteration of Dharma ransomware has still remained active so far, but the bad news is that the newer version of the virus, using the .arrow file extension has been detected to be featured in new e-mail spam messages, which may also be used to spread the .java files version of Dharma. The e-mails may contain fake document types of files which cause the infection upon being opened. To see how to check if an e-mail you have received is malicious, you can try forwarding the e-mail to the free service ZipeZip which will scan your attachment without you having to risk your PC’s health.

Update February 2018 – .java Dharma Uses New Spam Campaigns

Since February 2018, .java variant of Dharma Ransomware has been reported to perform new different types of activities on the computers of victims primarily concerning it’s payload dropping mechanisms. The malware also has several changes in the e-mails which it uses for ransom. Dharma’s .java variant uses the following e-mails in it’s latest versions:

  • faremar@cock.li
  • decrypthelp@qq.com
  • habibi.habibi3@aol.com
  • black.mirror@qq.com
  • chivas@aolonline.top

Other than that, Dharma’s .java variant still uses the same malicious practice as it did with it’s older variants, sending spam e-mails containing the infection file which infects via RDP (Remote Desktop Protocol), disguised as an important document of some sort.

Update January 2018 – .java Uses New E-mail and Has Other Changes

The new .java version of Dharma / CrySiS ransomware has been reported by malware researcher Michael Gillespie on Twitter to set multiple different types of new identificators on the encrypted files, plus the new e-mail faremar@cock.li. The encrypted files no longer appear the same:

The infection file for the new version has been uploaded to VirusTotal.com with the following parameters:

.java Files Virus – How Does It Infect

The infection process of this ransomware virus is most likely conducted via a well known technique – spam e-mail messages. Such techniques aim to deceive victims into opening a malicious e-mail attachment by believing it is a legitimate document. The e-mail attachments are sent via well-designed spam e-mails that make them appear like:

  • Invoices.
  • Banking statements.
  • Receipts of purchases the user does not recall in making.
  • Other important documents.

The e-mails, carrying this new .java files variant of Dharma ransomware are also cunningly made and they may even deceive experienced users. Here is how such e-mail, carrying the infection file of this variant of Dharma ransomware may appear like:

In addition to via e-mail, the malicious files of .java file extension virus may also be concealed as a legitimate setups of programs, key generators, game fixes, patches, cracks and other software license activators, so users should be careful which websites they download software from and always check the downloaded files on demand. If you do not have any protection software, recommendations are to use an anti-malware program which can automatically scan the files after you have downloaded them and detected if they are malicious or clean.

Dharma .java Files Virus – Malicious Activity

When an infection with the .java Dharma virus takes place on your computer, the first logical step for it is to perform the following activities:

  • Touch system files.
  • Create mutexes.
  • Interact with the Windows Registry Editor.
  • Delete system backups and shadow volume copies.
  • Change wallpaper and drop it’s ransom note so that it can be seen.

The malicious files of Dharma .java ransomware may be located in the following Windows directories:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %Temp%

In addition to malicious files, the virus may automatically execute them in order to perform other activities on the infected computer, such as interact with the Run and RunOnce Windows registry sub-keys, that have the following locations:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Since those keys are responsible for running programs alongside Windows Boot, the virus may also begin to delete the shadow volume copies on the infected machine which makes restoring your files via backup impossible. To do this, the .java file virus may use the following commands in Windows Command Prompt by running a script as an administrator that executes them in quiet mode.

→ bcdedit /set bootstatuspolicy ignoreallfailures
bcdedit /set recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled No
vssadmin delete shadows /for={volume} /oldest /all /shadow={ID of the Shadow} /quiet

After doing so, the latest variant of Dharma is ready to encrypt your important files.

Dharma .java Ransomware – Encryption Process

Similar to other CriSyS variants, the .java Dharma virus also uses the AES encryption algorithm (Advanced Encryption Standard). It’s usage results in the the files’ data, more specifically portion of it to become replaced with data from it’s encryption mode. This results in the files only being able to be unlocked and usable again via a unique asymmetric key which is generated and possibly sent to the server of the cyber-criminals, making them the only ones in power to recover your files. If your computer has been infected with the Dharma.java ransomware, chances are the following file types on it are infected and encrypted:


After the files have been encrypted, they can no longer be opened and their file icon is replaced with a blank one, similar to corrupted files. This variant of Dharma ransowmare does not cheat on it’s style and adds a new file extension .java, alongside which there is a unique identification number of the infected PC and an e-mail to contact the cyber-criminals for ransom payoff. So far, we have detected the following two iterations of encrypted files by the .java Dharma virus:

Remove Dharma Ransomware and Restore .java Encrypted Files

In order to remove this iteration of the Dharma ransomware infections, you should follow the removal instructions below. Be advised, that if you lack the experience in manually removing ransomware viruses like the Dharma .java variant from your computer, security analysts strongly advise to use an advanced anti-malware software which will swiftly and automatically help you remove the Dharma ransomware virus from your computer system and protect it against future infections as well.

You can try to restore files encrypted by this iteration of Dharma ransomware with the alternative methods for file recovery located below in step “2. Restore files encrypted by .java Dharma virus”. However, keep in mind that there is no guarantee that these alternative methods will work.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:


  1. AvatarDigitalJer

    Thanks for this. It’s new enough and has been updated just enough that the currently available decryption tools for Dharma / Crysis don’t work

  2. Avatarmitul

    one of my coworkers just got hit with this thing, the email address it came from is decodingfiles [at] arimail.cc

  3. AvatarPiotrM

    Probably there is new version of Dharani/CrySiS ransomware. It encrypts files and change names to form like this:
    Mo method at this time to restore files.

  4. AvatarPablo

    Hola alguien me puede ayudar a desencriptar archivos que se modificaron con el nombre:



  5. AvatarSalva

    Hola alguien me puede ayudar a desencriptar archivos que se modificaron con el nombre:
    OFERTA CONSIGNA YASDA 950V (26.03.2018 SPANISH) CONFIDENCIAL REV.1.0.xls.id-ECAF8204.[restorehelp@qq.com]

    Muchas gracias

  6. Avatarfranck

    Comment pouvons nous recuperer nos fichier qui sont en cock.li.java?

  7. AvatarPaco

    Actualmente no existe forma de recuperarlos. Guarda los ficheros por si en un futuro, esperemos que cercano publican las claves de desencriptación y puede volver a recuperarlos.


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share