Remove C4H Ransomware – Restore .C4H Files

The C4H ransomware is a new strain of GlobeImposter threat family. It has been circling around the web for a couple of days. Like a typical ransomware infection, the C4H virus aims to corrupt personal files stored on computer drives and blackmail victims into paying a ransom fee to the cybercriminals who stand behind its nasty attacks. Along with data corruption, lots of system modifications happen on the background of all other running processes. Malicious modifications heavily damage the operating system and interrupt its proper performance. Hence, an infection with C4H ransomware leads to serious system security issues that may be avoided with its complete removal from the system.


In the unfortunate event that you are a victim of the C4H cryptovirus it is recommendable to avoid any negotiations with cybercriminals and consider the help of secure weapons of choice. Keep reading.

C4H Virus

C4H ransomware is called one of the latest GlobeImposter ransomware variants. Like its predecessors Horriblemorning, CILLA and Tanos the C4H threat is named after its associated malicious extension. The ransomware uses it for marking files it encrypts.

C4H ransomware activates a built-in cipher module for data encryption. This module is designed to scan all drives for commonly used types of files so that it can transform their code. Since the transformation is realized by the usage of a sophisticated algorithm, all corrupted files remain unusable until their code is reverted back to its original state.

The ransomware could encrypt files, which are from the following file types:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

After the data encryption stage is completed, you are prevented from using your valuable data. As soon as the ransomware transforms the original code of a file, it marks it with the malicious .C4H extension and blocks the access to its data.

Before the encryption phase, the C4H virus accesses certain system components like the Registry Editor and heavily modifies their settings. This way it successfully evades detection and completes several other attack operations.

Since the Registry Editor stores specific low-level commands that control the regular performance of the operating system as well as of some installed applications, C4H ransomware strains may prevent you from using your system in a regular and secure way. Once C4H adds its malicious values under important registry keys like RUN and RUNONCE, it starts misusing their functionalities. As a result, the C4H ransomware could start loading malicious files every time you turn on the infected PC.

At last, C4H ransomware drops a file called Decryption INFO.html on the system and loads it in the default browser. The file contains a specially crafted ransom message that attempts to extort a ransom fee for files’ decryptor. Here is a copy of its text:



To recover data you need decryptor.
To get the decryptor you should:
Send 1 test image or text file chinarecoverycompany@cock.li or chinarecoverycompany@airmail.cc.
In the letter include your personal ID (look at the beginning of this document).

We will give you the decrypted file and assign the price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.

Only chinarecoverycompany@cock.li or chinarecoverycompany@airmail.cc can decrypt your files
Do not trust anyone chinarecoverycompany@cock.li or chinarecoverycompany@airmail.cc
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user’s unique encryption key

Be advised to refrain from paying hackers the ransom as this action does not guarantee the recovery of your encrypted .C4H files. There is a chance that the code of the threat is full of bugs. Hence, the decrypter won’t be able to recover .C4H files.

Currently, C4H ransomware is released in active attack campaigns against online users worldwide. Popular techniques such as malspam, freeware installers, and corrupted hosts may be used for its spread. Malspam is the technique that is believed to be preferred by hackers. It is realized via massive spam email campaigns. The email messages that are part of such campaigns usually attempt to trick you into downloading the malicious software by presenting it as an important document in a file attachment, a clickable link/button or another interactive element.