.war Files Virus (Dharma) – How to Remove It

.war Files Virus (Dharma) – How to Remove It

remove war files virus dharma ransomware restore data sensorstechforum guide

This article explains the issues that occur in case of infection with .war files virus and provides a complete guide on how to remove malicious files and how to potentially recover files encrypted by this ransomware.

Another strain of Dharma ransomware has been detected in the wild once again. Hackers who stand behind the infection campaigns with this ransomware have chosen the specific extension .war for their iteration. Once this threat accesses your device it implements a sequence of malicious activities in order to become able to utilize sophisticated cipher algorithm that in turn encrypts valuable data. The purpose of these activities is ransom fee extortion. So at the end of the attack, the ransomware loads a ransom message on your screen and forces you to contact hackers for more information on how to restore .war files.

Threat Summary

Name.war Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA version of the CrySyS/Dharma ransomware that is designed to encrypt valuable files stored on infected computers and then extort a ransom from victims.
SymptomsImportant files are encrypted and renamed with the extension .war. A ransom note appears on PC screen to present ransom payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .war Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .war Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.war Files Virus – Distribution

There are several channels that may be used for the distribution of Dharma .war ransomware. One of those methods is called malwspam. It provides hackers the chance to spread malicious via massive email campaigns. Their malware is usually embedded in any file of common types. As of the emails they are often presented as sent by any legitimate business or service. Unfortunately, their purpose is to trick you into opening the corrupted file on your device and this way trigger the ransomware payload. A variety of common file types such as documents, PDFs, images could be transformed into carriers of ransomware code.

These files are often presented as the following:

  • Invoices coming from reputable sites, like PayPal, eBay, etc.
  • Documents from what appears to be the victim’s bank.
  • An online order confirmation note.
  • Receipt for a purchase.
  • Others.

Malware authors may be also using compromised sites to spread this variant of Dharma ransomware infection. This method enables them to upload the ransomware configuration file to a compromised web page and set its automatic execution after a registered visit of this page.

.war Files Virus – Overview

The reason why this threat is dubbed .war files virus is an extension of the same name which it appends to each encrypted file. As identified by security researchers this threat is a strain of the infamous Dharma ransomware. In fact, it appears on the malware scene after a series of many other relatively new strains of the same ransomware family. Like its predecessors among which are

What is Dharma ransomware? What are .adobe files? How to remove Dharma .adobe ransomware from your PC and how to stop Dharma from infecting it in the future?
Dharma .adobe,
What are .btc Files? How to remove Dharma .btc files virus from your PC? How to try and make .btc files to be able to work again?
Dharma .btc,
The .brrr Dharma virus has been identified in an attack encrypting the victim files with the .brrr extension, read more in our removal guide
Dharma .brrr and many others, Dharma .war attacks the operating systems of various machines in order to access valuable data stored on the drives.

Soon after the execution of its payload file on your PC, lots of system changes could be noticed. These changes occur as a result of many malicious activities performed by the ransomware. Among the malicious activities applied during the attack could modifications of registry system keys. Usually, target keys are Run and RunOnce due to the fact that they manage the automatic execution of all essential system files that load on each system start. So here are the locations that you should access in order to check for any malicious entries:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

When .war files virus implements all initial compromises it triggers a built-in encryption module in order to encode all files that belong to its target data list. Unfortunately, it is likely to encode all types of files that store valuable data including:

  • Audio files.
  • Videos.
  • Image files.
  • Databases.
  • Archives.

Once a file is encrypted by this crypto virus it receives several extensions the last of which is the extension .war. Before it you could see an email address which is associated with hackers. The same email could be seen in the text presented by Dharma .war ransom note which is contained in a file called FILES ENCRYPTED.txt. The purpose of this note is to force you into contacting hackers so that they could send you back more details on how to restore your .war files. Usually this is possible only after you pay them a ransom in Bitcoin.

The good news is that you have the chance to restore .war files with the help of alternative data recovery tools and eventually prevent being tricked by hackers again.

Remove .war Files Virus and Restore Datas

The so-called .war files virus is a threat with highly complex code that plagues not only your files but your whole system. So infected system should be cleaned and secured properly before you could use it regularly again. Below you could find a step-by-step removal guide that may be helpful in attempting to remove this ransomware. Choose the manual removal approach if you have previous experience with malware files. If you don’t feel comfortable with the manual steps select the automatic section from the guide. Steps there enable you to check the infected system for ransomware files and remove them with a few mouse clicks.

In order to keep your system safe from ransomware and other types of malware in future, you should install and maintain a reliable anti-malware program. Additional security layer that could prevent the occurrence of ransomware attacks is

With the different types of ransomware emerging and evolving on a daily basis, a need for better protection against such viruses arises. A more specific kind of protection is always necessary, in addition to any anti-malware tools. The following article...Read more
anti-ransomware tool.

Make sure to read carefully all the details mentioned in the step “Restore files” if you want to understand how to fix encrypted files without paying the ransom. Beware that before data recovery process you should back up all encrypted files to an external drive as this will prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share