Severity scale:  

Dharma ransomware virus. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Ransomware

Dharma ransomware is a cryptovirus that uses contact email and random combination of letters to mark encrypted files

The ransom note of Dharma ransomware virus
Dharma ransomware virus was discovered in 2016. It keeps updating in 2019. The latest file extensions .gif .AUF, .USA, .xwx, .best, and .heets.

Questions about Dharma ransomware virus

Dharma is a crypto-virus that first struck the world in 2016, and is releasing new versions regularly. September 2018 was a month that three new variants came out: Brrr ransomwareGamma ransomware, and .bkp file virus. The latter variants which appeared in 2019 have started appending .gif .AUF, .USA, .xwx, .best, and .heets file extensions. The malware is using AES encryption algorithm to encrypt data and drops a ransom note to each of the affected folders – Info.hta or FILES ENCRYPTED.txt – asking to use,,,,, and as contact email addresses. No matter that Dharma keeps presenting new file extensions, as well as using different email addresses, the name of the ransom note remains unchanged.

Name Dharma
Type Ransomware
Danger level High. Makes system changes and encrypts files
Release date 2016
Appended file extensions .java, .cesar, .cezar, .wallet, .zzzzz, .dharma, .arrow, .write, .onion, .java2018@tuta io.arrow, .bip, .combo; .brrr; .gamma; .bkp, .like, .gdb, .xxxxx, .AUF, .USA, .xwx, .best and .heets
Ransom note Info.hta and FILES ENCRYPTED.txt
Contact email address,,,,,,,,,,;;;,,,,,,, and,
Distribution Malicious spam emails
Data recovery Some versions of the virus can be decrypted with a free decryptor
To uninstall Dharma, install Reimage and run a full system scan

Dharma ransomware has been spreading as an alternative for Crysis ransomware as they share similar traits and are considered to be congenerical. However, Crysis is not the only variant of the infamous Dharma. The ransomware first caught malware analysts' attention in November 2016.[1]

In the beginning, many speculations emerged about this cyber infection. Experts have been actively discussing whether this virus is an original creation of ransomware developers or just a newer version of some larger family of crypto ransomware. Also, could it be as dangerous as Locky virus?[2] However, Dharma (.cezar family) has proved that the virus is ready for anything.

As we have already mentioned, since the appearance of this ransomware, experts pointed out it’s resemblance to the CrySiS ransomware and the fact that the initial version of the virus can be decrypted. Another fact that resembles CrySiS malware is that someone (probably someone involved in ransomware development) published a lot of Dharma decryption keys on an Internet forum. Consequently, the initial virus' decryption tool was updated[3] and now victims can try to decrypt their files again – the chances are high that one of the leaked keys will unlock your files.

Since 2016, ransomware researchers revealed more than ten versions of this infection all of which differ regarding file extension appended (.java, .cesar, .cezar, .wallet, .zzzzz, .dharma, .xxxxx, .gdb).

Even though this crypto-malware has been silent for several months due to the obtained Dharma decryptor, now it is back with several new versions which are not yet decryptable. Some of the relatively new strains of the virus are using .java and .write file extensions, also known as [].java and [].write. In 2018, a couple of new variants of ransomware were released too.

One of the Dharma malware variant, which has been detected at the beginning of March 2018, is known for appending  .id-.[].arrow file extension to all encrypted files. Consequently, it might be referred to as .id-.[].arrow file extension virus.  Another variant has been detected in May. It adds [].bip extension to targeted file and is called .bip Files Virus.

A couple of weeks after Bip Dharma ransomware has been discovered, researchers reported about new variant lurking on the web and attacking computer users. This variant appends .java2018@tuta io.arrow suffix to the encoded files. Just like other versions, this one also delivers a ransom note where victims are asked to send an email to or and learn how much the decryption tool costs.

In July 2018, security experts discovered Combo Dharma variant. Just like the name of this virus suggests, it is using .combo file extension to mark encrypted data. However, the full pattern of this extension reads: “[victim's ID-here].[].combo.”

Dharma Cezar ransomware variant
Dharma ransomware - a cryptovirus which has numerous variants that have been actively infecting users behind their back.

Probably the most widespread Dharma ransomware version is known to use and for informing people about their encrypted files[4] and ask them to pay a ransom. This information is also provided in info.hta or differently titled ransom note.

We should add that, according to the latest reports, the current versions use these extensions to mark encrypted files:

  • .cesar, 
  • .onion,
  • .dharma, 
  • .wallet, 
  • .zzzzz,
  • .arena,
  • .cezar,
  • .java;
  • .write;
  • .bip;
  • .java2018@tuta io.arrow;
  • .combo;
  • .brrr;
  • .gamma;
  • .bkp;
  • .like;
  • .gdb;
  • .xxxxx;
  • .AUF;
  • .USA;
  • .xwx;
  • .best;
  • .heets.

On April 2017, malware researchers spotted a new version of virus lurking on the web. Due to the appended file extension, this recent variant is called .onion file extension virus. The virus hasn't started spreading actively yet; however, it might be a hackers' revenge and another attempt to develop a hazardous cyber threat.

On the day of its appearance, security experts didn't know much about Dharma in general and believed it to be one of the new-generation viruses.[5] It seems that the virus developers were trying to keep it as obscure as possible and didn't follow the typical patterns other ransomware creators do. For instance, the virus did not drop ransom notes or any other additional documents that would let you know about the virus hiding in the system.

Also, in November, antivirus utilities did not seem to detect it either, significantly complicating Dharma removal. Nonetheless, you can now use such software, like Reimage, for instance, to eliminate this ransomware from the computer. Thus, before taking any virus removal steps, make sure you have the proper tools to back you up.

The latest versions of ransomware leave a simple ransom note on the infected computer that reads:

At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:

As you can see, victims have to contact the criminals via an email address provided in the note and ask them about the ransom needed to recover the affected files. Apart from the email, you will also see .cezar, .cesar, .dharma, .wallet, .java, .write or .zzzzz pinned at the very end of the string. For instance, if your file is labeled as picture.jpg, the affected version of the file will be picture.jpg[email_address].dharma or picture.jpg[].write.

It is interesting that the email addresses the hackers provide vary. So, when infected with the virus, you might be required to write to,, (this virus drops worm.exe file on the system),,, or another, email address. One of the latest variants, Arena, recommends writing to We strongly suggest not to do that. You have absolutely no way of knowing what to expect from this bunch of extortionists and how contacting them might end.

It is more reasonable to simply remove Dharma and use your computer normally again. If you continue using it with a ransomware running, every time you reboot the system will result in newly encrypted files.

Important information. Speaking of data recovery methods, you can restore your files with a help of a data backup or an updated Rakhni decryption tool. However, one of 2-Spyware visitors has reported a surprising decryption method that helped him to restore .[].dharma file extension files for free. He managed to restore encrypted data archives using 7-Zip program. For more information, see data recovery methods described below the article.

Versions of ransomware ransomware virus. Developers have released an updated version of Dharma ransomware which is named as the file extension it uses. Just like any other dangerous ransomware-type infection,[6] it aims to encrypt important files on the targeted computer to gain illegal profits.

The easiest way to recognize ransomware virus is to check the file extension — documents encoded by this version are appended with [].dharma extension. It consists of two sections: an actual extension and the email address. 

Indication of the email is an attempt to urge you to contact the crooks for the decryption tool. However, if you reach them out via, there is a high risk that they will make you pay without giving the decryption key. Thus, we do not recommend following the rules of the attackers.

Luckily, you can restore your files using Dharma Decrypter. Therefore, there is no need to motivate the criminals to continue their illegal activities by paying the ransom.

Zzzzz ransomware virus. It is another virus version that shares its extensions with the infamous Locky virus. It is not clear whether zzzzz developers took Locky's idea or the use of same extensions to indicate encrypted files is a sheer coincidence. Despite the odds, these viruses are not related and are based on different codes. Nevertheless, this does not make zzzzz virus any less dangerous than the nasty Locky virus.

It still encrypts files making them inaccessible to the victims and demands payment for the access key. You may use Dharma Decrypter to attempt zzzzz file recovery, but most important thing is that you remove the virus from your computer to prevent further damage.

Wallet ransomware virus. Wallet is the latest Dharma version which appends .wallet extensions to the encrypted files. Ransomware victims are also urged to contact criminals via given email address ( and gives not specific details upfront. The virus makes sure the victims are acquainted with the data recovery conditions by replacing the infected computer's desktop with an image of a ransom note.

Besides, extortionists set a 72-hour limit to pay the ransom and claim that if victims fail to pay in time, the decryption key will be destroyed and they will lose access to their files forever. Of course, there are always alternatives and you don't have to succumb to the criminals' demands. Just scroll down to the end of this article and check out data recovery options recommended by experts.

.onion file virus. The latest variant of Dharma ransomware has been spotted on April 2017. The virus spreads via malicious email attachments, and once victim clicks on an infected attachment, malware sneaks inside the system. On the affected device, ransomware starts system scan and looks for the targeted file types. For data encryption, it uses a sophisticated algorithm that prevents users from accessing their files.

Ransomware appends the .onion file extension to the encoded documents, PDFs, video, audio, image files, databases, and other popular file types. Nevertheless, authors of the virus claim that purchasing decryption software from the is the only option to get back access to your data; you should not rely on their words. After the attack, you should focus on malware removal and later look for data recovery possibilities.

Cezar ransomware virusThe virus emerged in the middle of August 2017, and it is also known as Cesar ransomware virus. The virus is named after a file extension that it adds to encrypted files, respectively .cezar or .cesar. The virus suggests writing to for instructions on how to recover encrypted files, so it works as a typical Dharma version.

The aim of the virus is to force the victim to get in touch with cybercriminals and start negotiations regarding data recovery. The criminals will ask you to pay an enormous ransom in Bitcoins and promise you to provide a decryption key afterward. Unfortunately, criminals cannot be trusted, so we do not recommend you to put too much effort into trying to make them restore your files. Chances are, they might never will.

Arena ransomware virus. Arena virus is the latest addition to Dharma malware family. The virus was spotted by a security researcher Michael Gillespie on August 23rd, 2017. The new ransomware variants appends traditional extension – .id-[ID].[criminal's email address].arena. The virus then outputs some text in a FILES ENCRYPTED.txt file (known as ransom note).

Dharma Arena ransomware version
Dharma Arena ransomware is appending .arena file extension.

The virus suggests contacting the criminals via email address, leaving no hints about the price of the decryption key. Unfortunately, currently, the only tool that could help you restore your files is a data backup. Remove Arena ransomware before trying to plug it into your computer, otherwise, the virus will encrypt files stored on it.

.Java file extension virusThe developers of Dharma have been updating their malware from time to time. While it cannot compete with the authors of GlobeImposter group of ransomware, who have been refilling their virus almost every day, it can still be considered a persistent malware. 

Since the last update, security experts report about several new versions. One variation attaches .id-.[].cobra file extension. The ransom note also includes the email address mentioned in the extension.

In the meanwhile, the second version of Crysis/Dharma version attaches these extensions: 

  • .id-8-characters.[].java[7]
  • .[].java
  • .id-8-characters.[].java

It is believed that there are more than three versions of this Java ransomware spreading on the Internet, so be careful while searching the web. At the moment, security experts do not report about significant changes in virus source code, just mention to be careful with spam that spreads using the subject line “The Request Invoice.” 

Here is the message content:

Here is the Invoice you requested. Please make sure to print it, sign it and scan it to send it back to us.
Best Regards,
Tim Brooks
Sales Department

Note the absence of full company credentials and the logo. Counterfeited messages hiding the malware often contain grammar and typos.

This version also inflicts quite significant damage to the system. It disables system recovery and deletes shadow volume copies. Though it greatly reduces the number of alternative data recovery options, it is recommended to remove Java virus immediately.

Dharma Java ransomware image
Dharma Java ransomware is one of the most aggressive examples of the cryptovirus.

.write file extension virus. After several months of silence, developers have decided to update Dharma ransomware once again. Even though there are not many changes overall, they have switched to using different file extension and contact email address for identity protection.

Now the upgraded variant appends .write or [].write extension after encrypting important data which is stored on the targeted system. At that point, the files become unusable and victims are encouraged to pay the ransom in exchange for a decryption tool. 

Once the victims receive the ransom-demanding message, they are urged to contact the criminals via email address. However, have in mind that criminals will try to persuade you to make the transaction while you have no guarantees of getting Dharma decryptor.

It is important to know that .write file extension virus is currently undecryptable. Although, it doesn't mean that the only way to get back access to your file is to pay the ransom. There are ways how you can recover data without obeying the demands of the crooks. For that, we recommend checking decryption steps at the end of this article.

.id-.[].arrow file extension virus. The developers or Dharma ransomware are not going to stop, the recent discovery reveals. Ransomware researchers detected yet another altered version of the malware, which appends .id-.[].arrow file extension to encrypted files. 

It has been first noticed at the beginning of March 2018. Its analysis points out to .cezar version to be its substruction. Although it's not clear the sum of the ransom demanded, it's clear that extortionists can be contacted via, or emails. 

Bip ransomware virus. In the middle of March 2018, another Dharma variant has been noticed appending [].bip file extension during data encryption. The virus deletes shadow volume copies in order to make data decryption nearly impossible unless you have backups.

Dharma Bip ransomware example
Dharma ransomware is using AES encryption algorithm to lock target files and make them useless.

Following the encryption procedure, .bip file virus drops two ransom notes in Info.hta and FILES ENCRYPTED.txt where victims of ransomware are asked to send an email to Beamsell@qq.comi to get data recovery instructions. It’s unknown how much money developers of the virus ask to pay; however, it’s still not worth paying them. We recommend focusing on Bip removal instead.

.java2018@tuta io.arrow file extension virus. The variant emerged at the end of May 2018. It uses .[email].arrow file extension to the appended files. Immediately after the encryption, ransomware downloads a ransom note where victims are asked to contact crooks immediately. The faster they write, the less they need to pay, according to the ransom note.

Crooks use two contact email addresses or However, it's not recommended to discuss data recovery possibilities with developers of ransomware. This may not lead to any good. They will ask to pay the ransom, but there's no guarantees that they will let you decrypt files. Hence, it's better to eliminate ransomware from the system.

On the second week of September 2018, Brrr ransomware came to light. Files encrypted with .[].brrr pattern and same two ransom note files as most of the previous versions. Ransom note contains contact email and an offer to decrypt one file that is smaller than 1Mb. This move is definitely for manipulation and you shouldn't fall for this trick.

Less than a week after, Gamma ransomware was detected as yet another new version in Dharma family. Similar pattern as other versions with no certain ransom amount, offer to test decrypt and other features:

  • .id-%ID%.[].gamma file extension;
  • ransom files called Info.hta and FILES ENCRYPTED.txt;
  • contact email

The month of September in 2018 was big for Dharma Ransomware. The newest version with .bkp file extension was discovered on the 17th. This variant similarly to other ones delivers the same files for ransom notes with the names Info.hta and FILES ENCRYPTED.txt, adds new contact email to the mix. At the time of writing, there were about 10 known victims affected by this particular version which also remains not decryptable.

Suspicious email attachments might include ransomware executable

Just like many other ransomware-type viruses, this one takes advantage of naive computer users and employ phishing[8] techniques to infect the targeted systems. One of the most popular way is malspam campaigns which trick gullible people to open malicious attachments with the payload of the ransomware. Despite the information about precautionary measures which help inexperienced computer users protect their systems, many people continue to fall for the same tricks of the attackers.

Dharma ransomware malspam examples
Dharma cryptovirus has mostly been spreading around with the help of spam.[9] team has prepared tips to avoid ransomware infiltration. We kindly ask you to do the following if you want to protect your computer:

  • If you, yourself, receive an email from some unknown sender, company or institution, carefully investigate it.
  • Think about whether you expected such an email in the first place, if you have no idea why it has reached your email – it might be that you are being targeted by extortionists.
  • In such a case, you should stay away from any attachments that might be added to the email and delete it immediately. Otherwise, Dharma can sneak in its malicious payload with some fake plane ticket, speeding ticket or any other documents that might look convincing enough to be taken for granted.

Removal instructions for Dharma malware

It is evident that ransomware-type threats are highly dangerous and tricky. Likewise, people can either get help from an IT specialist or employ a professional Dharma removal software. Note that such cyber infections have numerous components and are able to hide them or disguise as legitimate system processes.

That is why you cannot remove Dharma directly and need to complete a few extra steps first before you run the system scan. We have presented these steps down below. Feel free to use them and don’t forget to scan your system automatically afterward! We suggest using one of these tools: Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes.

do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.
Dharma ransomware virus snapshot
Dharma Bip ransom note

To remove Dharma virus, follow these steps:

Remove Dharma using Safe Mode with Networking

In order to make the ransomware inactive and let you install the security software, you need to boot your system into Safe Mode with Networking. Here are instructions which will guide you through the process:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Dharma

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Dharma removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Dharma using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Dharma. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Dharma removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Dharma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Dharma, you can use several methods to restore them:

Get Data Recovery Pro tool

Experts highly recommend using this recovery software for those who would like to save their time and get back the access to their data automatically. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Dharma ransomware;
  • Restore them.

You can recover individual files with Windows Previous Versions feature

Luckily, Windows users can recover individual files encrypted by Dharma right now. The only thing they need is to check that System Restore function has been enabled before ransomware has entered the computer.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

IMPORTANT. Ways how to use Dharma decryptor

Dharma ransomware victims are lucky since there has been a leak of numerous decryption keys online. Likewise, Kaspersky Lab has already upgraded Rakhni decryptor which now is able to decrypt files with .dharma extension. Try and download it here.

In case the decryptor fails to decrypt your files: Our team recently received a message from a person who said one of his clients got infected with .[].dharma ransomware version. Surprisingly, our site visitor reported that he managed to restore encrypted data archives by extracting them with 7-Zip. We suggest you to try this method if you haven't already. You can find the original comment from the visitor in the comments section below.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Dharma and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions


Removal guides in other languages