Cesar ransomware virus: how to decrypt .cesar files

This article provides comprehensive details of the new Crysis / Dharma ransomware variant that appends the .cesar or .cezar extension to encrypted files.

The Crysis ransomware, previously known as Dharma, has suddenly awoken after several months of inactivity. Moreover, the halt was accompanied by an anonymous dump of master decryption keys in late May 2017. Although events like that tend to denote that a campaign stops for good, somebody in the cybercriminal underground must have a different opinion, obviously. The latest outbreak of the Crysis / Dharma ransomware wave revolves around a variant that blemishes one’s encoded files with the .cesar extension. Some of the more recent reports have unveiled the .cezar file version as well. This string is only part of the concatenated extension, though. It is preceded by a victim’s ID and the threat actors’ contact email address so that the infected user gets quite a few clues on data decryption from the get-go.

The upshot of this data tweaking workflow is that an arbitrary filename gets concatenated with an extension token in the following format: .id-{8-char victim ID}.[email address].cesar. For example, a sample item named Coffee.jpg will morph into something like Coffee.jpg.id-C21FD978.[m.heisenberg@aol.com].cesar. Note that the email part may vary. Aside from the one mentioned above, it can be black.mirror@qq.com, gladius_rectus@aol.com, or btc2017@india.com. The email address variable most likely denotes a specific ‘affiliate’ that was able to deposit the perpetrating code onto a computer. There are different groups of cybercrooks distributing the Cesar ransomware edition of Crysis concurrently, each one with their own contacts.

As opposed to most file-encrypting strains out there that spread by means of malicious spam, the Cesar virus is making the rounds via Remote Desktop Protocol. The attackers brute-force RDP credentials in order to infiltrate systems remotely. This way, they can execute random code on compromised computers. In the case of Cesar, the troublemaking process is named bars.exe. When deployed inside a machine, this executable deletes Shadow Copies of the victim’s files and adds a registry value to run when the OS is booted up. Then, the ransomware scans the local drive and removable drives, if any, for a predefined list of data formats. It encrypts every single file detected during this scan.

Whereas the extension affixed to all hostage files is quite self-explanatory in terms of what the user should do, the Cesar virus also drops a ransom note named Info.hta onto the desktop. According to this note, the victim has to send a message to the email address indicated in square brackets preceding the .cesar part of the file extension. The plagued user is instructed to include their personal ID in this email. The felons will respond with the size of the ransom and the Bitcoin wallet address to submit it. As guarantee that the decryption tool will work, the extortionists can purportedly restore up to three files whose total size doesn’t exceed 10 MB. All in all, instead of relying on the bad guys’ promises and going through the painful buyout procedure, start with alternative data restoration options below.

Cesar ransomware automated removal and data recovery

The battle-tested security tool called WiperSoft can shore up the protection of your PC by identifying and removing all files associated with Cesar threat automatically. It gets regular updates of its malware database to ensure a high detection rate, even if you’ve been hit by the newest strain of ransomware, adware, spyware, or a stubborn browser hijacker.

The following point-by-point instructions will help you get your computer back on track using this incredibly effective application.

1. Download the latest version of WiperSoft.

^{WiperSoft scans your PC with no strings attached, but you’ll have to register its commercial version to immediately remove the threats it detects. Alternatively, you can use a one-time free cleaning service that will activate in 48 hours after you opt for it.}

Download Cesar ransomware remover

2. Run the installer. As part of the setup, you’ll be asked to specify your preferred language and accept the End User License Agreement.

3. Once the installation is through, you’ll see the app’s Home screen that says, “Computer state is unknown”. Click Scan Now to check your system for threats.

4. The first scan might take a while to be completed. This is normal, given that the app has to check hundreds of thousands of files along the way. It will reflect the current progress and other details at the bottom part of the GUI.

5. If WiperSoft finds malicious files, it will let you know via an updated computer security status as illustrated below. Go ahead and click the Review & Clean button.

6. Go over the detailed scan report that’s split into three categories: malware, potentially unwanted programs (PUPs), and privacy issues. Make sure all unwanted items are selected and click Remove Threats to disinfect your PC.

Data recovery toolkit to the rescue

Some strains of ransomware are known to delete the original files after the encryption routine has been completed. As hostile as this activity appears, it can play into your hands. There are applications designed to revive the information that was obliterated because of malfunctioning hardware or due to accidental removal. The tool called Stellar Data Recovery features this type of a capability and therefore it can be applied in ransom attack scenarios to at least get the most important files back. So use the app to get an idea of what data can be restored and let it do the recovery job. Here is a step-by-step walkthrough:

1. Download and install Stellar Data Recovery.

Download Stellar Data Recovery

2. Open the application, select the types of recoverable files to look for, and click Next.

3. Choose the areas you want the tool to recover from and click the Scan button.

4. Having scanned the specified locations, the program will display a notification about the total amount of recoverable data. Close the dialog and click the Recover button. This will hopefully help you get some of your valuable files back.

Cesar ransomware manual removal and file recovery

Some ransomware strains terminate themselves after completing the encryption job on a computer, but some don’t. Furthermore, the Cesar virus may prevent victims from using popular antimalware tools in order to stay on board for as long as possible. Under the circumstances, it may be necessary to utilize the Safe Mode with Networking or System Restore functionality.

Be advised that even after the ransomware is removed, files will still be encrypted and inaccessible. The malicious code cleanup part, however, is important because it keeps a relapse of the infection from occurring further on and eliminates all opportunistic malware.

Cracking the crypto used by this ransom Trojan is more of a science fiction thing rather than an attainable prospect for the masses. This is why the troubleshooting in predicaments of this sort is a matter of two approaches: one is to pay the ransom, which isn’t an option for many victims; and the other is to apply instruments that take advantage of the ransomware’s possible weaknesses. If the latter is your pick, the advice below is a must-try.

Ransomware Prevention Tips

To avoid Cesar ransomware and other file-encrypting infections in the future, follow several simple recommendations:

These techniques are certainly not a cure-all, but they will add an extra layer of ransomware protection to your security setup.

Revise your security status

Post-factum assessment of the accuracy component in malware removal scenarios is a great habit that prevents the comeback of harmful code or replication of its unattended fractions. Make sure you are good to go by running an additional safety checkup. Another benefit of using the antimalware tool is that it will keep ransomware threats from intruding on your computer further on.

Download Cesar ransomware removal tool