Remove C1024 Ransomware Virus (Removal Instructions)

remove C1024 ransomware virus (virus removal guide)

C1024 ransomware originates from the infamous DHARMA ransomware group

Contents

C1024 ransomware originates from the infamous DHARMA ransomware group
- Ransomware Summary
Ransomware distribution explained: how to avoid getting infected
Remove C1024 Ransomware Virus and Recover Your Files

C1024 ransomware is a new variant of file-encrypting virus originating from DHARMA ransomware family. After breaking into the target system, this virus starts encrypting all files located in victim’s folders and marking them with a lengthy extension. This file marker consists of victim’s ID, the attacker’s email address (in this case, code1024@keemail.me) and .C1024 extension. So for example, a file originally named 1.jpg will be renamed to 1.jpg.id-7MKEC91T.[code1024@keemail.me].C1024. The virus also drops a copy of ransom note called info.txt into every affected folder and launches info.hta file on the screen. These notes contain instructions from the ransomware operators who expect you to pay a ransom to them in exchange for data decryption tools.

The sole aim of C1024 ransomware operators is to lock your files using military-grade encryption and then provide you with a single solution – pay or lose your files forever. The text note dropped in each folder contains a short message that says:

all your data has been locked us
You want to return?
write email code1024@keemail.me or code1024@onionmail.org
Message contained in info.txt file.

As you can see, this note doesn’t get into the details about the attack and is only meant to provide you two email addresses belonging to the attackers. However, the info.hta file launched on the screen contains a bit more information. It suggests that the victim can return all of one’s files, however, in order to do it, the victim has to write to provided email address – code1024@keemail.me. In case the victim receives no response within 12 hours, the note suggests writing to an alternative email address: code1024@onionmail.org.

What happens next is the attackers will instruct you to pay a specific amount of money to them. They will also command you to purchase cryptocurrency such as Bitcoin worth the said amount and transfer it to their virtual wallet address. The reason behind this is such payment method prevents law enforcement agencies from tracking them down.

However, we strongly advise you to NOT PAY THE RANSOM. According to cybersecurity experts and FBI, this is not a good option because it never guarantees successful data recovery. Sometimes, the attackers stop replying to their victims after receiving the ransom, or provide faulty decryption tools. Moreover, you shouldn’t support the actors behind the ransomware as your money only helps them to fund further operations and as a result, infect even more people. Additionally, ransomware can drag additional malware to your computer.

If you have unfortunately fallen victim to a ransomware attack, we strongly recommend you to eliminate the malware from your computer to secure it and information you keep in it. To remove C1024 ransomware virus, we recommend using a robust antivirus software while in Safe Mode with Networking (see the full tutorial below the article). If you do not have a security software yet, consider using one recommended by our team – INTEGO Antivirus. To repair virus damage on Windows OS files, you may want to download RESTORO.

Ransomware Summary

Name	C1024 Ransomware Virus
Type	Ransomware; Crypto-malware; Virtual Extortion Virus
Family	DHARMA (also known as CrySiS)
Encryption type	AES-256 + RSA-1024
Extension	.id-[8-character string].[code1024@keemail.me].C1024
Cybercriminal emails	code1024@keemail.me, code1024@onionmail.org
Damage	The ransomware encrypts all files on the computer and appends new extensions to them. Additionally, the virus deletes Volume Shadow Copies and drops ransom-demanding notes throughout the computer system.
Ransom note	info.txt, info.hta
Ransom demand	Depends on negotiation with the criminals
Distribution	Mostly distributed via malicious email attachments, fake software installers, RDP vulnerabilities
Detection names	Ransom:Win32/Wadhrama!hoa (Microsoft), Trojan.Ransom.Crysis.E (B) (Emsisoft), Trojan-Ransom.Win32.Crusis.to (Kaspersky), Trojan.Ransom.Crysis.E (BitDefender), Ransom.Crysis (Malwarebytes), Packed.Generic.528 (Symantec) see all detection name variations on VirusTotal
Removal	Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO.

REMOVE MALWARE & REPAIR VIRUS DAMAGE

1 Step. Get robust antivirus to remove existing threats and enable real-time protection

SECURE YOUR PC NOW

See Full Review

INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.

2 Step. Repair Virus Damage on Windows Operating System Files

REPAIR VIRUS DAMAGE

See Full Review

Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.

Ransomware distribution explained: how to avoid getting infected

Cybercriminals typically distribute ransomware-type threats via malicious email attachments, fake software installers, deceptive ads, deceptive torrents, or via RDP vulnerabilities.

Computer users can get infected after opening deceptive email attachments designed to look like regular business documents, for example, invoices, order summaries or waybills. These typically come along a message that invites the target to open the attachment and reply as soon as possible. For this reason, we strongly recommend you to be attentive when opening emails. If you have the slightest sense of suspicion, do not open the attachments or links added to the message.

Another way to avoid ransomware infections is to stay away from pirated software versions available online. Victims often get infected after downloading torrents including software cracking or license key generation tools. Instead of activating your desired software, these can run ransomware on your computer and corrupt all of your files. For this reason, it is important to choose legitimate online websites belonging to official software developers or partners. Remember that legitimate software license hardly ever costs more than large ransom amounts demanded by Internet criminals.

Deceptive ads and fake software installers are also among the most popular ransomware distribution vectors. Deceptive ads might advertise popular software updates, however, these installers can bring high-risk computer threats to your computer. For this reason, you should only renew your programs using updates from legitimate software developer’s site or via the software itself.

Remote Desktop Protocol vulnerabilities are also targeted by cybercriminals. Therefore, if you use this technology to allow your employees to do their job remotely, make sure to ask a cybersecurity expert to configure these settings properly and use complex login credentials to avoid getting hacked by cybercriminals.

Screenshot of data folder containing affected victim’s files:

Files encrypted by the ransomware have blank icons and a lengthy new extension.

Screenshot of the ransom note left by the virus (info.txt) file:

Contents of info.txt note which is saved into every affected data folder.

The ransomware also displays a pop-up (info.hta) which is shown in the screenshot down below.

The ransomware displays a pop-up that explains that victim’s files were encrypted.

Remove C1024 Ransomware Virus and Recover Your Files

If you have been affected by this computer virus, we strongly recommend you to remove C1024 ransomware virus as soon as you can. Manual removal of such complicated malware is a hard procedure that requires excellent skills, so it is not a recommended option for most home computer users. For this reason, we suggest using the tutorial provided below which explains how to boot your computer in Safe Mode with Networking. From there, you can run your antivirus software which will eliminate the ransomware and related threats for you. If you do not have such software yet, consider using INTEGO Antivirus, an excellent antivirus for Windows OS users.

Additionally, you may want to download and try RESTORO to repair virus damage caused for Windows OS files.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS

REMOVE & PROTECT WITH INTEGO

Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7.. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.

Use INTEGO Antivirus to remove detected threats from your computer.

Read full review here.

STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

C1024 Ransomware Virus Removal Guidelines

Method 1. Enter Safe Mode with Networking

Step 1. Start Windows in Safe Mode with Networking

Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:

Instructions for Windows XP/Vista/7 users

First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.

Instructions for Windows 8/8.1/10 users

Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.

Step 2. Remove files associated with the virus

Now, you can search for and remove C1024 Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).

REMOVE MALWARE & REPAIR VIRUS DAMAGE

1 Step. Get robust antivirus to remove existing threats and enable real-time protection

SECURE YOUR PC NOW

See Full Review

2 Step. Repair Virus Damage on Windows Operating System Files

REPAIR VIRUS DAMAGE

See Full Review

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically.

Step 1. Boot Windows in Safe Mode with Command Prompt

Instructions for Windows XP/Vista/7 users

Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.

Instructions for Windows 8/8.1/10 users

Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.

Step 2. Start System Restore process

Wait until system loads and command prompt shows up.
Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
Click Yes to begin the system restoration process.

After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.