Severity scale:  

Dharma ransomware virus. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Ransomware

Dharma ransomware gets updated

Dharma ransomware note

Dharma is a dangerous crypto-virus which is alternatively known as Crysis ransomware. It hails from a huge ransomware group that uses .dharma, .wallet, .zzzzz, .cezar, .cesar and .java file extensions to mark files it encrypts on victim's computer. The virus is designed to work as a virtual extortion tool that corrupts all files with a sophisticated encryption algorithm and leaves a ransom note filled with instructions on how to pay a ransom to recover encrypted data.

In the beginning of 2017, it seemed the era of Dharma ransomware came to an end because of the leak of the decryption software. However, after a couple of months of silence, a new variant, called .java or [].java, was spotted spreading in the wild. 

Dharma first caught malware analysts' attention in November 2016.[1] In the beginning, many speculations emerged about this cyber infection. Experts have been actively discussing whether this virus is an original creation of ransomware developers or just a newer version of some larger family of crypto ransomware. Also, could it be as dangerous as Locky virus?[2]

As we have already mentioned, since the appearance of this ransomware, experts pointed out it’s resemblance to the CrySiS ransomware and the fact that the initial version of the virus can be decrypted. Another fact that resembles CrySiS malware is that someone (probably someone involved in ransomware development) published a lot of Dharma decryption keys on an Internet forum. Consequently, the initial virus' decryption tool was updated[3] and now victims can try to decrypt their files again – the chances are high that one of the leaked keys will unlock your files.

Probably the most widespread Dharma ransomware version is known to use and for informing people about their encrypted files[4] and ask them to pay a ransom. This information is also provided in info.hta or differently titled ransom note.

We should add that, according to the latest reports, the current versions of Dharma use these extensions to mark encrypted files:

  • .cesar, 
  • .onion,
  • .dharma, 
  • .wallet, 
  • .zzzzz,
  • .arena,
  • .cezar,
  • .java. 

On April 2017, malware researchers spotted a new version of virus lurking on the web. Due to the appended file extension, this recent variant is called .onion file extension virus. The virus hasn't started spreading actively yet; however, it might be a hackers' revenge and another attempt to develop a hazardous cyber threat.

On the day of its appearance, security experts didn't know much about Dharma in general and believed it to be one of the new-generation viruses.[5] It seems that the virus developers were trying to keep it as obscure as possible and didn't follow the typical patterns other ransomware creators do. For instance, the virus did not drop ransom notes or any other additional documents that would let you know about the virus hiding in the system.

Also, in November, antivirus utilities did not seem to detect it either, significantly complicating Dharma removal. Nonetheless, you can now use such software, like Reimage, for instance, to eliminate this ransomware from the computer. Thus, before taking any virus removal steps, make sure you have the proper tools to back you up.

The latest versions of Dharma ransomware do leave a simple ransom note on the infected computer that reads:

At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:

As you can see, victims have to contact the criminals via an email address provided in the note and ask them about the ransom needed to recover the affected files. Apart from the email, you will also see .cezar, .cesar, .dharma, .wallet, .java or .zzzzz pinned at the very end of the string. For instance, if your file is labeled as picture.jpg, the affected version of the file will be picture.jpg[email_address].dharma or picture.jpg[].java.

It is interesting that the email addresses the hackers provide vary. So, when infected with the virus, you might be required to write to, (this virus drops worm.exe file on the system),,, or another email address. One of the latest variants, Arena, recommends writing to We strongly suggest not to do that. You have absolutely no way of knowing what to expect from this bunch of extortionists and how contacting them might end.

It is more reasonable to simply remove Dharma and use your computer normally again. If you continue using it with a ransomware running, every time you reboot the system will result in new encrypted files.

Important information. Speaking of data recovery methods, you can restore your files with a help of a data backup or an updated Rakhni decryption tool. However, one of 2-Spyware visitors has reported a surprising Dharma decryption method that helped him to restore .[].dharma file extension files for free. He managed to restore encrypted data archives using 7-Zip program. For more information, see data recovery methods described below the article.

Other malware variations ransomware virus. Ransomware developers simply can't go about their business without making improvements to their malicious creations. Dharma ransomware is not an exception. The virus has undergone a lot of changes and different versions of it are now circling the web. One of these versions is ransomware. The virus is named after the extensions it ads to the encrypted files.

So, the computer infected with will feature a lot of files ending with .[].dharma. The use of an email address to indicate encrypted files suggests that it may be the key to their decryption. Or the hackers want you to believe that.

The victims who reach out to the cyber criminals via this address are demanded to send money (Bitcoins) to the given Bitcoin account while the hackers promise to hand in the decryption key. Nevertheless, paying the extortionists is not necessary as you may unlock your files using Dharma Decrypter. 

Zzzzz ransomware virus. It is another virus version that shares its extensions with the infamous Locky virus. It is not clear whether zzzzz developers took Locky's idea or the use of same extensions to indicate encrypted files is a sheer coincidence. Despite the odds, these viruses are not related and are based on different codes. Nevertheless, this does not make zzzzz virus any less dangerous than the nasty Locky virus.

It still encrypts files making them inaccessible to the victims and demands payment for the access key. You may use Dharma Decrypter to attempt zzzzz file recovery, but most important thing is that you remove the virus from your computer to prevent further damage.

Wallet ransomware virus. Wallet is the latest Dharma version which appends .wallet extensions to the encrypted files. Ransomware victims are also urged to contact criminals via given email address ( and gives not specific details upfront. The virus makes sure the victims are acquainted with the data recovery conditions by replacing the infected computer's desktop with an image of a ransom note.

Besides, extortionists set a 72-hour limit to pay the ransom and claim that if victims fail to pay in time, the decryption key will be destroyed and they will lose access to their files forever. Of course, there are always alternatives and you don't have to succumb to the criminals' demands. Just scroll down to the end of this article and check out data recovery options recommended by experts.

.onion file virus. The latest variant of Dharma ransomware has been spotted on April 2017. The virus spreads via malicious email attachments, and once victim clicks on an infected attachment, malware sneaks inside the system. On the affected device, ransomware starts system scan and looks for the targeted file types. For data encryption, it uses a sophisticated algorithm that prevents users from accessing their files.

Ransomware appends the .onion file extension to the encoded documents, PDFs, video, audio, image files, databases, and other popular file types. Nevertheless, authors of the virus claim that purchasing decryption software from the is the only option to get back access to your data; you should not rely on their words. After the attack, you should focus on malware removal and later look for data recovery possibilities.

Cezar ransomware virusThe virus emerged in the middle of August 2017, and it is also known as Cesar ransomware virus. The virus is named after a file extension that it adds to encrypted files, respectively .cezar or .cesar. The virus suggests writing to for instructions on how to recover encrypted files, so it works as a typical Dharma version.

The aim of the virus is to force the victim to get in touch with cybercriminals and start negotiations regarding data recovery. The criminals will ask you to pay an enormous ransom in Bitcoins and promise you to provide a decryption key afterward. Unfortunately, criminals cannot be trusted, so we do not recommend you to put too much effort into trying to make them restore your files. Chances are, they might never will.

Arena ransomware virus. Arena virus is the latest addition to Dharma malware family. The virus was spotted by a security researcher Michael Gillespie on August 23rd, 2017. The new ransomware variants appends traditional extension – .id-[ID].[criminal's email address].arena. The virus then outputs some text in a FILES ENCRYPTED.txt file (known as ransom note).

The virus suggests contacting the criminals via email address, leaving no hints about the price of the decryption key. Unfortunately, currently, the only tool that could help you restore your files is a data backup. Remove Arena ransomware before trying to plug it into your computer, otherwise, the virus will encrypt files stored on it.

.Java file extension virusThe developers of Dharma have been updating their malware from time to time. While it cannot compete with the authors of GlobeImposter group of ransomware, who have been refilling their virus almost every day, it can still be considered a persistent malware. 

Since the last update, security experts report about several new versions. One variation attaches .id-.[].cobra file extension. The ransom note also includes the email address mentioned in the extension.

In the meanwhile, the second version of Crysis/Dharma version attaches these extensions: 

  • .id-8-characters.[].java[6]
  • .[].java
  • .id-8-characters.[].java

It is believed that there are more than three versions of this Java ransomware spreading on the Internet, so be careful while searching the web. At the moment, security experts do not report about significant changes in virus source code, just mention to be careful with spam that spreads using the subject line “The Request Invoice.” 

Here is the message content:

Here is the Invoice you requested. Please make sure to print it, sign it and scan it to send it back to us.
Best Regards,
Tim Brooks
Sales Department

Note the absence of full company credentials and the logo. Counterfeited messages hiding the malware often contain grammar and typos.

This version also inflicts quite significant damage to the system. It disables system recovery and deletes shadow volume copies. Though it greatly reduces the number of alternative data recovery options, it is recommended to remove Java virus immediately.

Distribution methods diversify

While trying to infect systems with this malware, the developers of the described ransomware have been actively relying on phishing.[7] The most common method is considered the delivery of virus with the help of infected email messages. The scammers use malicious spam campaigns to spread fraudulent emails with attached malware around and, sadly, the users often fall for their tricks.

To help you to avoid infecting your PC with ransomware from email, prepared some tips[8]:

  • If you, yourself, receive an email from some unknown sender, company or institution, carefully investigate it.
  • Think about whether you expected such an email in the first place, if you have no idea why it has reached your email – it might be that you are being targeted by extortionists.
  • In such a case, you should stay away from any attachments that might be added to the email and delete it immediately. Otherwise, Dharma can sneak in its malicious payload with some fake plane ticket, speeding ticket or any other documents that might look convincing enough to be taken for granted.

Eliminate Dharma virus completely

All computer security unanimously agree that the best way to remove Dharma virus or any ransomware virus from the infected device is by scanning it with a professional anti-malware tool. Nevertheless, you probably remember that this virus is specifically good at hiding on the computer and may not even be detected by the security tools.

That is why you cannot approach Dharma removal directly and need to complete a few extra steps first before you run the system scan. We have presented these steps down below. Feel free to use them and don’t forget to scan your system automatically afterward! We suggest using one of these tools: Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Dharma ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Dharma ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Dharma virus Removal Guide:

Remove Dharma using Safe Mode with Networking

Ransomware blocks access to the security software or you cannot install you preferred tool, you need to disable the virus by rebooting device to the Safe Mode with Networking. Then, you will be able to install, update and run malware removal program.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Dharma

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Dharma removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Dharma using System Restore

System Restore is another method to disable the virus in order to perform automatic ransomware elimination.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Dharma. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Dharma removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Dharma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Dharma, you can use several methods to restore them:

Using Data Recovery Pro to restore files encrypted by ransomware

Data Recovery Pro is a software choice that is recommended for those who do not wish to spend time recovering data themselves. It is an automatic tool that will do all the work for you. So, follow the steps below, sit back and wait for the results. 

Using Windows Previous Versions feature to recover files encrypted by Dharma

Windows Previous Versions feature is another option you can try in order to recover your data. Keep in mind, though, that this technique requires a System Restore function to be enabled. If it was on before the virus attack, try your chance in recovering data using the instructions below.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

IMPORTANT. The latest Dharma decryption options

As we already mentioned, someone has leaked a lot of Dharma decryption keys online and Kaspersky has successfully updated Rakhni decryptor with these keys already. At the moment, it is known that the leaked keys belonged to the virus' version that added .dharma file extensions. You should definitely try using its decrypter presented by Kaspersky Lab. You can download it from here.

In case the decryptor fails to decrypt your files: Our team recently received a message from a person who said one of his clients got infected with .[].dharma ransomware version. Surprisingly, our site visitor reported that he managed to restore encrypted data archives by extracting them with 7-Zip. We suggest you to try this method if you haven't already. You can find the original comment from the visitor in the comments section below.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Dharma and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions


Removal guides in other languages

  • Ebbie Millton

    Well this virus escalated from an obscure little parasite. I still remember when it first came out

  • PweDiepie

    What a spiritual title for such a nasty parasite

  • Sean Venter

    I had a client that got this infection on their accounting server and because they havent noticed the infection it encrypted all files on their backup hard disk drives that they rotate on a daily basis. So they have lost all their data. As I started to reinstall everything I right clicked on one of the encrypted backup zip files that had the extension .[].dharma and I managed to open it with 7 ZIP. and I managed to extract all of their backups from the latest zip file!!!. Dont know if it is a bug in the virus but somehow all the zip files on the external hard disk drive have the .[].dharma extension but I am able to extract the data with 7 ZIP. Hope this helps anybody as this is really a serious virus infection.

  • 2spyware

    Dear Sean, thank you for your information. It will definitely help for infected users!