Cezar ransomware virus

Cezar ransomware is a file-locking infection that compromises Run and RunOnce keys to execute during Windows boot

Cezar malware
Cezar malware is ransomware that provides a short ransom note with the crooks’ contacts in it

Cezar malware
Cezar malware is ransomware that provides a short ransom note with the crooks’ contacts in it

Cezar ransomware is a file-encrypting virus that can cause the loss of all files on the targeted machine. It is the continuation of the infamous Dharma ransomware[1] and has emerged in August 2017. The malicious program[2] encrypts all data by adding a specific file extension that includes the victim’s ID number, cybercriminals’ email address, and either .cezar or .cesar file extension. Cezar virus encrypts all the data that is found on the infected Windows computer system, including pdfs, Microsoft Office documents, images, audios, videos, virtual drive files, and more.

It then drops the ransom note called HELP.txt which urges users to contact the cybercriminals via email [email protected] or [email protected]. Users must pay the ransom in Bitcoin to get their data back, otherwise, it will be left blocked forever. At least this is what the cybercriminals want you to believe. However, staying away from ransom payments would be a wiser choice than accepting them as the crooks might try to scam you.

Users on Reddit have been complaining about Cezar ransomware virus rooting in their systems and supposedly compromising the RDP configuration to get in.[3] Also, security researchers have already noticed that the ransomware virus is delivered via Necurs botnet through phishing email messages and their infectious attachments. Nevertheless, some people have seen this ransomware provided as RaaS on the Dark Web’s market where anyone who wants to play with the malware and infect potential victims can purchase it for a specific price.

Name Cezar
Type Ransomware virus/malware 
Family Dharma ransomware
First discovered This cyber threat was first spotted in August 2017 and has emerged again in 2020
Encryption The ransomware virus employs a unique encryption cipher such as AES to lock up all files, folders, and documents found on the Windows computer system. Afterward, the .cezar or .cesar appendix is added to each filename
Ransom note The malware provides the HELP.txt ransom note, after the encryption, that includes crooks’ email addresses: [email protected] or [email protected]
Related files When the malware infiltration process happens, Cezar virus can bring files such as notepad.exe, svchost.exe, setup.exe, patch.exe, update.exe, and software-update.exe and install them in the system
Modules The newly-updated version of Cezar ransomware might be capable of tracking user activity, harvesting private details, etc.
Distribution Spreading of this parasite relies on various different techniques such as phishing email messages and their malicious attachments, botnets and other malware, cracked software such as key generators or fake setups from torrenting networks, vulnerable RDP settings
Removal If you have been dealing with this malware lately, you should take action against it ASAP. Our recommendation would be to employ a reliable antimalware product that will be capable of dealing with the ransomware virus
Data recovery There is no official decrypter released for .cezar or .cesar files at the moment. However, our security experts have provided some alternative data recovery tools that you can find at the end of this article
Fixing tool If your computer system has experienced some type of damage, you can try fixing things with the help of software such as Reimage Reimage Cleaner  

When Cezar ransomware appears on the targeted Windows computer, it heads for the Run and RunOnce keys that allow the payload to execute every time when the machine is turned on. Furthermore, the malware might include some files in the system, for example, notepad.exe, svchost.exe, setup.exe, patch.exe, update.exe, and software-update.exe. Following a successful computer infiltration and data encryption, Cezar ransomware drops a ransom note that contains a short message from criminals to the victim:

To decrypt files, write to my email [email protected]

This short Cesar ransomware ransom note is provided in a simple .txt file named “HELP.txt.” However, it’s quite an unusual ransom message because it does not include any information about data recovery possibilities and how it may cost for the victims. It is clear why cybercriminals do not want to reveal the final price of the ransom – they might be open to negotiations with potential victims. In addition, different versions of Cesar malware might be adding one of the following file extensions to encrypted files:

However, even though Cezar ransomware developers do not provide any particular information about the ransom price, most of the demands vary from $100 to $2000 or even more and need to be transferred during a particular time period. Also, criminals are very likely to urge for some type of digital currency such as Bitcoin as this type of cryptocurrency allows the hackers to stay safe from tracking and keep their identities a secret.

Cezar ransomware
Cezar ransomware is a malware form that has first emerged in 2017 and came back in 2020 with a more advanced module

Cezar ransomware
Cezar ransomware is a malware form that has first emerged in 2017 and came back in 2020 with a more advanced module

A big problem with .cesar ransomware is that it is capable of deleting Shadow Volume Copies by executing specific PowerShell command. Sadly, the Shadow Copies are necessary for recovering files using third-party software and criminals seek to make this data recovery method not work for the victims. Currently, the official decryptor for .cezar and .cesar files is not released yet. However, some versions of Dharma are already decryptable.[4] Thus, there’s hope.

If this ransomware has hit your computer, we strongly recommend using a decent antispyware product to remove Cezar ransomware from the system. Once you eliminate the ransomware virus and all the malicious payload that was brought to the computer as a result of the dangerous infection, you might be interested in tools such as Reimage Reimage Cleaner or SpyHunter 5Combo Cleaner if there are any corrupted areas on the Windows device as this type of software might help to fix them. 

You should not put Cezar ransomware removal aside because it is a highly important task that you must complete. Only after deleting the virus from the system you will be able to use it again securely. The reason why we recommend using the automatic spyware/malware removal tool is that some viruses spread in tandem with other severe malware variants such as Trojans or keyloggers and you will need strong software to deal with all these potential cyber threats.

Update 2020: Cezar (Dharma) ransomware searching for targets in Italy

According to security researchers, Cezar ransomware that was first discovered in 2017, decided to renew its activities in 2020. This time malicious actors are targetting people who live in Italy by delivering them malware-laden payload through email spam that contains VBS (Visual Basic Scripts).

Furthermore, investigations have provided results that Cezar virus includes improved functionality but uses the same operating principle as earlier. The ransomware virus employs a cipher such as AES and locks up all the components that are found on the infected Windows PC. However, researchers have found out that the malware was added with some complex modules and now might be capable of these activities:

  • Cybercriminals can have the ability to track victims and their computers.
  • The malware might be programmed to hijack the users’ activities.
  • The virus can include harvesting of personally-identifiable information from the infected device.

Cesar virus
Cezar virus is a ransomware infection that comes from the Dharma family

Cesar virus
Cezar virus is a ransomware infection that comes from the Dharma family

Methods used for malware distribution

According to LesVirus.fr experts,[5]Dharma ransomware variants usually employ traditional malware distribution techniques for proliferation. Most of the time it arrives as a malicious email attachment[6] that needs to be opened by the computer user in order to be run. To convince the victim to open the document, criminals spoof the sender’s address and rename the malicious file as invoice, a message from courier, receipt, or another important document that might interest the potential victim.

Furthermore, ransomware viruses can also get spread through other malware forms such as trojans and botnets and be downloaded as a regular file at first until the embedded macros are enabled. However, this is still not all about the possible distribution techniques of file-encrypting viruses. These malicious threats can get infiltrated through hacked RDPs. Hackers usually steal the password or search for unlocked configuration and connect to the computer system remotely.

In addition, ransomware is often uploaded on torrenting websites that are filled with game cracks, key generators, fake setups, and various questionable files that look harmless only from the first view. Since you have learned about the distribution tactics of ransomware viruses, it would be recommendable to also learn about their prevention:

  • Always investigate your received email. Check the sender, view the content for possible grammar mistakes, and measure the expectancy of such message. Also, do not open any questionable attachments without scanning them with an antimalware program.
  • Avoid visiting peer-to-peer networks. Make sure that you get all of your products and services from official sources. It is better to pay more than to deal with malware and its consequences later.
  • Install reliable antivirus protection. If you do not already have antimalware software on your Windows computer, you should get one ASAP. Make sure that you keep this tool regularly updated.

Steps to take after Cesar virus attack

Cezar ransomware virus

Cezar ransomware virus

Cezar ransomware removal is the first thing you should do when you discover that you are infected with this malware. Postponing the elimination might relate in more damage to your Windows computer system. Besides, you will not be able to recover your files properly with additional software until the parasite is residing on your device.

If you want to remove Cezar ransomware, you should rely on automatical software that would be able to delete with this parasite. However, if your antivirus tool is being blocked by the malware, you can try diminishing malicious processes on your Windows computer system by rebooting it in Safe Mode with Networking.

Furthermore, Cezar ransomware virus can have posed some type of harm on your device during the infection process or might have infiltrated additional malware to the system. To check for possible damage, use SpyHunter 5Combo Cleaner or Malwarebytes. If these tools find any compromised areas on the machine, you might have a chance of repairing them with software such as Reimage Reimage Cleaner .

Video clip displaying Cesar ransomware removal

Cezar ransomware virus is a complex malware form that can be hard to eliminate if you have no understandings of how to complete the process and what tools to use for it. Our cybersecurity experts understand the struggle and decided to create some visual material that would be very easy for all users to understand. Look below and you will find the Youtube video:

Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove Cezar using Safe Mode with Networking

If you want to deactivate some malicious settings on your Windows operating system and disable the ransomware virus from operating further, you should reboot the device in Safe Mode with Networking as described below

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Cezar removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Cezar using System Restore

You can try diminishing malware-induced changes and deactivating the virus itself by opting for System Restore. If you do not know how to complete such a task, the following instructions will help you

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Cezar from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Unfortunately, .cezar file extension is undefeatable and currently there are no ways to restore your files for free. Unless you have a backup, the chances to restore them are very low. Despite that, you can try the following methods:

If your files are encrypted by Cezar, you can use several methods to restore them:

Data Recovery Pro perfectly helps to recover corrupted files

Data Recovery Pro can be used on files that were corrupted, and it can also help to restore deleted files. Although it wasn’t created for the recovery of encrypted files, you can still try it and see what it can do.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Cezar ransomware;
  • Restore them.

Windows Previous Versions feature might be useful

Windows Previous Versions feature is useful if you do not have a large number of files to return. Also, the Windows Restore function should have been enabled before the attack occurred.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Try ShadowExplorer software

ShadowExplorer is a software that can help you to restore files from Shadow Volume Copies. If the virus failed to delete these copies, there is still hope to recover some of your files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

The .cezar and .cesar files decrypter is not developed yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Cezar and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

This entry was posted on 2020-02-20 at 07:13 and is filed under Ransomware, Viruses.