CC1H Ransomware

CC1H Ransomware is one of those infections that rely on poor protection and vulnerabilities to invade Windows operating system systems. Its creator can use other threats and exploit kits to drop and execute the infection without any involvement from victims. It also can trick them into executing the infection unknowingly. When that happens, the attackers usually use clever spam email messages and attractive downloaders to fool people, and, unfortunately, these tricks work very well. In fact, most ransomware threats are spread via spam email, and that means that victims mostly execute this kind of malware themselves. In this report, we are talking about CC1H, which is a new variant of the Globe Imposter Ransomware. Other variants of this infamous threat include TorS@Tuta.Io Ransomware, C4H Ransomware, and Taargo Ransomware. So, how do you protect your system against these threats? How do you delete them once they are inside? Continue reading to learn how to remove CC1H Ransomware.

Have you identified CC1H Ransomware as the attacker of your personal files? If you can see the “.CC1H” extension attached to the names of your documents, photos, and similar personal files, we are sure that this is the malware that you have faced. The threat also uses a file named “Decryption INFO.html” to introduce itself, and copies of this file should be dropped everywhere. Is it dangerous to open this file? Not at all, but you have to be cautious about the message inside. Also, do not forget to delete all its copies once you get to the removal part. The message inside the .html file informs that files were encrypted, and you might not know what that means. Encryption is normally used to protect files, so that only the owner of these files could access them. Cybercriminals use encryption to lock files so that only they could access them. Of course, the attackers do not care about the contents of these files. What they care about is your desire to get the files back under your control. This is the only reason why CC1H Ransomware was created.

The message within the .html file dropped by CC1H Ransomware informs that you can obtain a “decryptor” to have all files restored, and to get this decryptor, you are instructed to send one test file to the attackers at chinarecoverycompany@cock.li or chinarecoverycompany@airmail.cc. Once the attackers receive your message, they should respond back with the decrypted file – which is meant to prove that decryption is possible – and also the price of a decryption tool. This is why this malware is classified as ransomware. We are sure that most victims of CC1H Ransomware know that they cannot trust cybercriminals, but their files might be too important for them. Also, the ransom note warns against the removal of the threat or the use of third-party decryptors. We are sure that some victims of this malware will have backup copies of the corrupted files, and if you are one of these victims, you can delete the infection and then replace the corrupted files with their copies. There is also an option of using the GlobeImposter Decryptor, which is free because it was created by researchers. Unfortunately, we cannot guarantee that it will decrypt everything.

Now that you have all important information, and you know your options for recovering or replacing files, what are you going to do? If you do not have backup copies, and the free decryptor does not work for you, you might choose to follow the attackers’ demands. This is the worst decision because you will not get a decryptor in return. Instead, your inbox will be flooded with intimidating and misleading messages, and your money will be lost. Remember that it is not beneficial for cybercriminals to share decryptors. Hopefully, you do not need to put yourself and your money at risk. In any case, you must delete CC1H Ransomware. Note that this malware auto-stars with Windows, and that means that new files can be encrypted after a restart. Therefore, if you are going to be replacing files with backups, you need you remove CC1H Ransomware first. One option is to follow the instructions below, but because your system requires full protection, we advise installing anti-malware software right away. It will simultaneously secure and clean the system.

CC1H Ransomware Removal

1. Delete all copies of the ransom note file named Decryption INFO.html.
2. Launch File Explorer by tapping Windows+E keys and enter %APPDATA% into the quick access field.
3. Delete the {random name}.exe file if you can identify it as a malicious file.
4. Launch Run by tapping Windows+R keys and enter regedit into the dialog box.
5. In Registry Editor, go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.
6. Delete the value named CertificatesCheck (value data should point to the .exe file in %APPDATA%).
7. Exit all utilities and then Empty Recycle Bin.
8. Install and run a malware scanner you trust to help you check the system for leftovers.