What is C4H file extension
.C4H file extension is a file extension that is used by the latest variant of GlobeImposter ransomware. ‘C4H’ variant is very similar in its characteristics to other variants of this ransomware. It also encrypts files, and then renames them, giving them a new filename consisting of their old and ‘.C4H’ appended at the end. Criminals demand a ransom for a key-decryptor pair, which is necessary to unlock encrypted data.
What is C4H ransomware
C4H ransomware is one of the variants of the GlobeImposter ransomware. It appends the ‘.C4H’ extension to each file that it encrypts using a complex encryption mechanism. As its previous variants, it can use the same distribution methods (spam emails, adware, cracks, key generators and so on). Upon execution, C4H starts working in the background immediately. First of all, the virus configures the Windows so that it starts automatically every time the computer is turned on. C4H ransomware uses this mechanism to continue encrypting files if it was interrupted by turning off or restarting the computer. Further, the ransomware contacts its control server to send information about the infected computer and receive additional commands.
After all the preparatory steps are completed, C4H proceeds to the main thing, it begins to encrypt files. All files will be encrypted, regardless of where they are located, on the local disk or on a network-connected disk. That is, the contents of the following common file types can be encrypted:
.mov, .xlgc, .mp4, .iwd, .xyp, .csv, .jpe, .2bp, .pptx, .pak, .xar, .sav, .lvl, .qdf, .p7b, .x3f, .psd, .hvpl, .cr2, .zabw, .sb, .xml, .wbd, .7z, .rw2, .wpg, .tor, .xx, .xf, .z, .wdp, .vcf, .icxs, .css, .itl, .fpk, .big, .wbm, .mef, .mlx, .rb, .psk, .mdb, .png, .ptx, .wp6, .vfs0, .xmmap, .ybk, .wpa, .ff, .xwp, .sidd, .arch00, .odc, .cer, .xlsb, .3dm, .wp4, .raf, .wpw, .crt, .wot, .xlsx, .m3u, wallet, .dazip, .map, .sie, .xpm, .dwg, .jpeg, .apk, .dng, .wsd, .pdd, .dbf, .zip, .odp, .snx, .jpg, .yml, .fos, .wmv, .bar, .ods, .wma, .esm, .z3d, .kdb, .vpp_pc, .itm, .txt, .layout, .erf, .xy3, .tax, .x3d, .wp7, .cfr, .sql, .wn, .wav, .ysp, .wcf, .orf, .wpb, .cdr, .dxg, .ncf, .bc6, .gho, .py, .rar, .hkx, .hkdb, .avi, .pst, .litemod, .doc, .p7c, .hplg, .xbdoc, .bay, .xls, .ibank, .zif, .mddata, .wmf, .xlsx, .y, .srw, .ppt, .r3d, .xyw, .wpl, .blob, .svg, .t12, .mpqge, .menu, .odm, .wsh, .eps, .mdf, .zip, .upk, .zi, .1st, .m4a, .wotreplay, .webp, .re4, .bc7, .x3f, .wmo, .mcmeta, .dba, .x, .wbmp, .bsa, .dmp, .wps, .wpd, .wdb, .epk, .lrf, .pfx, .xll, .docm, .wpd, .kdc, .js, .3fr, .xls, .fsh, .accdb, .yal, .pem, .dcr, .w3x, .1, .wpt, .ltx, .zdc, .xmind, .nrw, .pkpass, .m2, .syncdb, .webdoc, .wbc, .indd, .rofl, .qic, .odt, .wp, .iwi, .wm, .der, .das, .wmd, .crw, .mrwref
When a file is encrypted, the ‘.C4H’ extension is appened at the end of its name, that is, if you had a file called ‘document.docx’, then a file with the name ‘document.docx.C4H’ will appear in its place. If you change the file name, just delete the appended extension, then nothing will change. The file will remain encrypted, and as before, this file will not be possible to open in the program with which it is associated.
The C4H ransomware creates a file with the name “Decryption INFO.html” on the infected computer. This file contains a message from the ransomware authors. The full text of this file is:
ALL YOUR FILES AND IMPORTANT DATA ARE ENCRYPTED!
To recover data you need decryptor.
To get the decryptor you should:
Send 1 test image or text file chinarecoverycompany@cock.li or chinarecoverycompany@airmail.cc.
In the letter include your personal ID (look at the beginning of this document).We will give you the decrypted file and assign the price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.
Attention!Only chinarecoverycompany@cock.li or chinarecoverycompany@airmail.cc can decrypt your files
Do not trust anyone chinarecoverycompany@cock.li or chinarecoverycompany@airmail.cc
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user’s unique encryption key
Criminals use the files to demand ransom from the C4H ransomware victims. The ransom demand message said that the victim’s files are encrypted. The authors of the ransomware demand a ransom in exchange for a key and a decryptor. Attackers offer to decrypt one image or text file for free. Of course, decryption of one file cannot guarantee that, after paying the ransom, the victim will be able to recover files affected with the ransomware.
Threat Summary
Name | C4H |
Type | Filecoder, Ransomware, File locker, Crypto virus, Crypto malware |
Encrypted files extension | .C4H |
Ransom note | Decryption INFO.html |
Contact | chinarecoverycompany@cock.li, chinarecoverycompany@airmail.cc |
Ransom amount | $500-$1500 in Bitcoins |
Detection Names | Ransom:Win32/GlobeImposter.180910, Trojan.Ransom.GlobeImposter, Generic.Ransom.GlobeImposter.9F3AF8D5, Win32/Filecoder.FV, W32/Ransom.HL.gen!Eldorado, Trojan.Win32.Filecoder, Win32/Trojan.Ransom.Necne.D, Trojan.Win32.Ransom.56832.H |
Symptoms | Your photos, documents and music fail to open. Windows Explorer displays a blank icon for the file type. Files named like ‘Decryption INFO.html’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file.. Ransom note in a pop-up window with cybercriminal’s ransom demand and instructions. |
Distribution ways | Phishing emails that look like they come from a reliable source. Drive-by downloading (when a user unknowingly visits an infected web-page and then malicious software is installed without the user’s knowledge). Social media posts (they can be used to entice users to download malware with a built-in ransomware downloader or click a misleading link). Remote desktop protocol (RDP) hacking. |
Removal | C4H ransomware removal guide |
Recovery | C4H File Recovery |
As we have already said, the C4H ransomware is not the first in its series. The fact that to date, antivirus companies have not created a way to decrypt the encrypted files, and just have not found a 100% way to protect the user’s computers, indicates the complexity of the ransomware virus and the method that it uses to encrypt files. Nevertheless, you do not need to despair. There are several ways to find and remove C4H ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove C4H ransomware, Restore .C4H files
If you encounter the malicious actions of ransomware, and your files have been encrypted with ‘.C4H’ extension, then you need to remove the virus or be 100% sure that there is no ransomware on your computer, and then proceed to restore the files. Both the ransomware removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. In addition, we want to say that all the tools that we recommend using in our instructions are free and verified by security experts. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
- How to remove C4H ransomware virus
- How to decrypt .C4H files
- How to restore .C4H files
- How to protect your machine from C4H ransomware
How to remove C4H ransomware virus
It is not recommended to immediately start decrypting or restoring files, this will be your mistake. This way is wrong. The right way is to go step by step: scan your computer for ransomware, detect and remove C4H virus, decrypt (restore) files. To search for ransomware, we recommend using free malware removal tools. It is very important to use multiple malware removal tools to identify and remove C4H. Each of the used tools should be based on a different anti-virus (anti-malware) engine. This is the only way to make sure that the C4H ransomware was found and completely removed.
Remove C4H ransomware with Zemana AntiMalware (ZAM)
Zemana Anti Malware is a malware removal tool that is very useful for detecting and uninstalling C4H ransomware and other malware. The steps below will explain how to download, install, and use Zemana Free to scan your computer and remove ransomware, trojans, malware, adware software, worms, spyware for free.
Please go to the following link to download Zemana Anti Malware setup file called Zemana.AntiMalware.Setup on your PC system. Save it to your Desktop.
164112 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Start the installation package after it has been downloaded successfully and then follow the prompts to setup this utility on your PC system.
During installation you can change some settings, but we suggest you do not make any changes to default settings.
When installation is complete, this malware removal tool will automatically start and update itself. You will see its main window as shown in the following example.
Now click the “Scan” button for scanning your PC for the C4H ransomware and other security threats. This process may take some time, so please be patient. During the scan Zemana Anti Malware (ZAM) will look for threats present on your computer.
Once that process is done, Zemana Anti-Malware (ZAM) will show you the results. You may delete items (move to Quarantine) by simply click “Next” button.
The Zemana Anti Malware will begin to remove C4H ransomware virus related folders,files and registry keys. Once that process is complete, you can be prompted to restart your computer to make the change take effect.
Remove C4H virus with MalwareBytes Free
We suggest using the MalwareBytes Anti-Malware which are completely clean your computer of the crypto malware. This free tool is an advanced malicious software removal application created by (c) Malwarebytes lab. This application uses the world’s most popular anti-malware technology. It’s able to help you uninstall ransomware, PUPs, malicious software, adware software, toolbars, and other security threats from your machine for free.
MalwareBytes AntiMalware can be downloaded from the following link. Save it directly to your Windows Desktop.
326462 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When downloading is complete, close all windows on your system. Further, start the file called MBSetup. If the “User Account Control” prompt pops up as displayed on the screen below, click the “Yes” button.
It will display the Setup wizard which will help you install MalwareBytes on the computer. Follow the prompts and do not make any changes to default settings.
Once installation is done successfully, click “Get Started” button. Then MalwareBytes Anti-Malware (MBAM) will automatically start and you can see its main window such as the one below.
Next, click the “Scan” button . MalwareBytes Free tool will start scanning the whole system to find out C4H ransomware, other malicious software, worms and trojans. A scan may take anywhere from 10 to 30 minutes, depending on the count of files on your PC and the speed of your personal computer. During the scan MalwareBytes will scan for threats present on your computer.
Once the scan is complete, you may check all items detected on your system. Review the report and then press “Quarantine” button.
The MalwareBytes will remove C4H ransomware virus, other malware, worms and trojans. Once disinfection is done, you may be prompted to restart your personal computer. We advise you look at the following video, which completely explains the process of using the MalwareBytes Free to remove browser hijacker infections, adware software and other malware.
Remove C4H from computer with KVRT
Kaspersky virus removal tool (KVRT) is a free removal tool that may be downloaded and run to delete ransomware, adware, spyware, trojans, worms, potentially unwanted programs, malicious software and other security threats from your PC system. You can run this tool to detect threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the KVRT screen as on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan for the C4H ransomware . A system scan may take anywhere from 5 to 30 minutes, depending on your PC. While the Kaspersky virus removal tool is scanning, you can see how many objects it has identified either as being malicious software.
Once KVRT completes the scan, KVRT will display a screen that contains a list of malware that has been found like below.
In order to delete all items, simply click on Continue to begin a cleaning procedure.
How to decrypt .C4H files
Files with the extension ‘.C4H’ are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. Unfortunately, today there is no way to decrypt files encrypted by the C4H ransomware virus, because to decrypt them you need a unique key, and this key is in the hands of criminals.
Never pay the ransom! Nevertheless, everyone has to remember that paying the developers of the C4H ransomware virus who are threatening you is a terrible idea. You can pay this money, but there is no guarantee that your files will be yours again. That is the reason why you should consider other options (that do not involve paying the makers of the C4H ransomware) in order to decrypt locked personal files. There still are some ways to defuse crypto malware without paying ransom, so you would not need to pay hackers and you would not let them reach their goal.
Fortunately, there are several alternative methods that do not require the use of a key and therefore allow you restore the contents of encrypted files. Try to recover the encrypted files using free tools listed below.
How to restore .C4H files
If all your files are encrypted with .C4H file extension, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to recover .C4H files. These methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Use ShadowExplorer to recover .C4H files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by C4H ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
First, visit the following page, then click the ‘Download’ button in order to download the latest version of ShadowExplorer.
438819 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to launch it. You will see the a window as shown in the following example.
In top left corner, choose a Drive where encrypted personal files are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as displayed on the image below.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Use PhotoRec to recover .C4H files
There is another way to recover the contents of the encrypted files. This method is based on using a data recovery tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec on your machine by clicking on the following link.
Once the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the figure below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will display a screen as on the image below.
Select a drive to recover as displayed in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted files similar to the one below.
Press File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.
Next, press Browse button to select where recovered photos, documents and music should be written, then press Search.
Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as shown below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your machine from C4H ransomware
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows OS from Windows XP to Windows 10.
Visit the page linked below to download the latest version of HitmanPro.Alert for Windows. Save it on your Windows desktop or in any other place.
Once the downloading process is complete, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is started, you’ll be displayed a window where you can select a level of protection, as on the image below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of C4H ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .C4H files; how to recover the encrypted files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with C4H virus related issues, go to here.