If your personal documents and photos were corrupted by Chch Ransomware, you should find the “.chch” extension attached to their names. This extension indicates that the file was encrypted with a unique encryptor and now cannot be read without a decryptor. Normally, this method serves the owners of the files, who use encryption for securing files against unauthorized access. Unfortunately, cybercriminals have found a way to use encryption for financial gain. They are encrypting files that do not belong to them to push their owners into paying money for decryption services. Unfortunately, victims are unlikely to get their files restored even if they obey their attackers, and that is why most ransomware victims end up losing it all, including money, in some cases. Not all is lost if you are prepared and have copies of your files. An internal backup will not help you because Chch Ransomware deletes shadow volume copies. However, if you have stored copies of your files online or on external drives, you should be able to replace the encrypted files successfully after you remove the infection.
According to our research team, Chch Ransomware is a new variant of Squad Ransomware, a malicious infection that we are currently looking into as well. Since one variant has emerged from this infection already, we have to consider the possibility that other variants will come up as well. If that happens, we will report back as quickly as we can. In general, there are thousands of file-encrypting threats, and if you want to avoid them all, you have to be aware of the most common entryways that this type of malware uses. In most cases, we see ransomware spreading via spam emails (the launcher is presented as an attachment file) or bundled downloaders (the launcher is presented as something else or is hidden altogether). If a user is tricked into executing Chch Ransomware, their personal files are encrypted instantly. Next to them, a file named “READ_ME.TXT” is dropped to deliver a message. It is safe to open this file, but we recommend removing all copies in the end because, after all, they belong to malware.
Right off the bat, the message inside the .txt file informs that “files are encrypted.” The purpose of this message is to convince victims that they need to send 1 test file (image or text) to firstname.lastname@example.org so that the attackers could prove that decryption is possible and that they could send additional instructions. These should show how to pay an unspecified sum of money (i.e., the ransom) in return for a decryptor. Do you think that cybercriminals would keep their word and help you decrypt your files? Hopefully, you do not think that trusting cybercriminals is a good idea. Of course, if you want to take the risk, no one can stop you, but remember that you are most likely to end up losing your money along with your files. What about third-party decryptors? When we analyzed Chch Ransomware, a free decryptor that could assist was not available. Only on rare occasions do free decryptors are created by malware experts, and so it is most likely that your only option is to use backup copies as replacements.
We hope that you have copies of your personal files and that you can replace the files corrupted by Chch Ransomware. In that case, you want to focus on the removal of the infection first. If you do not have backups, you might choose to follow the instructions of cybercriminals, but we do not recommend it at all. Of course, even if you manage to get your files decrypted, you still need to remove Chch Ransomware. Getting rid of this infection manually is not something that every victim will be able to handle because the launcher of this infection should have a unique name, and we cannot guess where it could have been dropped. You could check the Desktop, the Downloads folder, and the %TEMP% directory, as this is where new files are dropped in most cases, but we cannot tell you the exact location. Whether or not you can find the launcher, we advise implementing anti-malware software anyway because this software can simultaneously scan the system, remove malware, and also reinstate full-time Windows protection.