Criminals spreading a ransomware trojan, dubbed CryptoDefense, are preying on users running vulnerable versions of Java, researchers found.

CryptoDefense, a variant of CryptoLocker, was used by saboteurs to rake in more than $34,000 between February and March, Symantec researchers found. Now, analysts at Bromium Labs warn the malware, which holds victim files hostage by employing public-key cryptography using strong RSA encryption, is being delivered to users via a Java exploit.

Back in March, reports said CryptoDefense fraudsters requested a $500 ransom payment in bitcoins to restore victims’ files.

The recent CryptoDefense delivery tactic uses compromised sites rigged to install the malware on visitors’ computers by exploiting Java vulnerabilities, a Tuesday blog post on Bromium Labs’ site said.

Bromium found that the trojan tried to encrypt “pretty much everything” on victims’ machines, including documents, source files, certificates and databases, the blog post said.