.java Files Virus (Dharma Ransomware) - Remove and Restore Files

.java Files Virus (Dharma Ransomware) – Remove and Restore Files

This article aims to help you remove the newly discovered variant of Dharma ransomware virus and show you how you can try and restore as many files, encrypted with .java extension as possible without having to pay ransom to the cyber-criminals behind it.

New variant of Dharma ransomware virus has been detected by malware researchers. The virus uses the .java extension and a unique identification number (for example id-3293991412412.java) which it adds to the files that are encrypted by it. The ransomware also drops a ransom note, which further aims to extort the victims of the virus into paying a hefty ransom fee in order to get access to their encrypted files and make them openable again. In the event that your computer has been infected with this variant of Dharma ransomware, we recommend that you read this article in order to learn how to remove the .java files virus from your computer and try to restore encrypted files.

Threat Summary

Name.java Dharma Virus
TypeRansomware, Cryptovirus
Short DescriptionNew variant of Dharma/CrySiS ransomware family. Uses encryption to make important files on infected PC’s no longer openable and then extorts the victim for payment to get the files back.
SymptomsEncrypts documents, images, videos and other important files and adds the .java file extension after their filename and original extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .java Dharma Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .java Dharma Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update January 2018 – .java Uses New E-mail and Has Other Changes

The new .java version of Dharma / CrySiS ransomware has been reported by malware researcher Michael Gillespie on Twitter to set multiple different types of new identificators on the encrypted files, plus the new e-mail [email protected]. The encrypted files no longer appear the same:

The infection file for the new version has been uploaded to VirusTotal.com with the following parameters:

.java Files Virus – How Does It Infect

The infection process of this ransomware virus is most likely conducted via a well known technique – spam e-mail messages. Such techniques aim to deceive victims into opening a malicious e-mail attachment by believing it is a legitimate document. The e-mail attachments are sent via well-designed spam e-mails that make them appear like:

  • Invoices.
  • Banking statements.
  • Receipts of purchases the user does not recall in making.
  • Other important documents.

The e-mails, carrying this new .java files variant of Dharma ransomware are also cunningly made and they may even deceive experienced users. Here is how such e-mail, carrying the infection file of this variant of Dharma ransomware may appear like:

In addition to via e-mail, the malicious files of .java file extension virus may also be concealed as a legitimate setups of programs, key generators, game fixes, patches, cracks and other software license activators, so users should be careful which websites they download software from and always check the downloaded files on demand. If you do not have any protection software, recommendations are to use an anti-malware program which can automatically scan the files after you have downloaded them and detected if they are malicious or clean.

Dharma .java Files Virus – Malicious Activity

When an infection with the .java Dharma virus takes place on your computer, the first logical step for it is to perform the following activities:

  • Touch system files.
  • Create mutexes.
  • Interact with the Windows Registry Editor.
  • Delete system backups and shadow volume copies.
  • Change wallpaper and drop it’s ransom note so that it can be seen.

The malicious files of Dharma .java ransomware may be located in the following Windows directories:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %Temp%

In addition to malicious files, the virus may automatically execute them in order to perform other activities on the infected computer, such as interact with the Run and RunOnce Windows registry sub-keys, that have the following locations:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Since those keys are responsible for running programs alongside Windows Boot, the virus may also begin to delete the shadow volume copies on the infected machine which makes restoring your files via backup impossible. To do this, the .java file virus may use the following commands in Windows Command Prompt by running a script as an administrator that executes them in quiet mode.

→ bcdedit /set bootstatuspolicy ignoreallfailures
bcdedit /set recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled No
vssadmin delete shadows /for={volume} /oldest /all /shadow={ID of the Shadow} /quiet

After doing so, the latest variant of Dharma is ready to encrypt your important files.

Dharma .java Ransomware – Encryption Process

Similar to other CriSyS variants, the .java Dharma virus also uses the AES encryption algorithm (Advanced Encryption Standard). It’s usage results in the the files’ data, more specifically portion of it to become replaced with data from it’s encryption mode. This results in the files only being able to be unlocked and usable again via a unique asymmetric key which is generated and possibly sent to the server of the cyber-criminals, making them the only ones in power to recover your files. If your computer has been infected with the Dharma.java ransomware, chances are the following file types on it are infected and encrypted:


After the files have been encrypted, they can no longer be opened and their file icon is replaced with a blank one, similar to corrupted files. This variant of Dharma ransowmare does not cheat on it’s style and adds a new file extension .java, alongside which there is a unique identification number of the infected PC and an e-mail to contact the cyber-criminals for ransom payoff. So far, we have detected the following two iterations of encrypted files by the .java Dharma virus:

Remove Dharma Ransomware and Restore .java Encrypted Files

In order to remove this iteration of the Dharma ransomware infections, you should follow the removal instructions below. Be advised, that if you lack the experience in manually removing ransomware viruses like the Dharma .java variant from your computer, security analysts strongly advise to use an advanced anti-malware software which will swiftly and automatically help you remove the Dharma ransomware virus from your computer system and protect it against future infections as well.

You can try to restore files encrypted by this iteration of Dharma ransomware with the alternative methods for file recovery located below in step “2. Restore files encrypted by .java Dharma virus”. However, keep in mind that there is no guarantee that these alternative methods will work.

Manually delete .java Dharma Virus from your computer

Note! Substantial notification about the .java Dharma Virus threat: Manual removal of .java Dharma Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove .java Dharma Virus files and objects
2.Find malicious files created by .java Dharma Virus on your PC

Automatically remove .java Dharma Virus by downloading an advanced anti-malware program

1. Remove .java Dharma Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by .java Dharma Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

1 Comment

  1. DigitalJer

    Thanks for this. It’s new enough and has been updated just enough that the currently available decryption tools for Dharma / Crysis don’t work 🙁


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share