Remove CryptoHitman Ransomware and Restore .porno Encrypted Files Successfully - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove CryptoHitman Ransomware and Restore .porno Encrypted Files Successfully

STF-crypto-hitman-cryptohitman-ransomware-screen-ransom-message-note

The CryptoHitman ransomware has a new variant. Now it bears the name CryptoHitman, but its core is more or less the same. Instead of showing the puppet used in the “Saw” movies, the ransomware’s theme now is the Hitman character next to pornographic images. The ransomware encrypts files with over 120 extensions as its previous counterpart. This time, it adds a .porno extension. To see how to restore your files and remove the ransomware, you should read the article to the end, carefully.

Threat Summary

NameCryptoHitman
TypeRansomware
Short DescriptionThe ransomware is a new variant of the Jigsaw ransomware. It encrypts files by adding a .porno extension and asks a ransom for decryption.
SymptomsFiles with more than 120 different extensions can be encrypted. A ‘Hitman’ themed message with instructions for paying the ransom is displayed next to pornographic imagery. Every hour files get deleted if the ransom is not paid.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by CryptoHitman

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CryptoHitman.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoHitman Ransomware – How Did I Get Infected?

You can get infected with the CryptoHitman ransomware from several ways. One of them is via spam e-mails that contain an attachment with a malicious file inside. If the said attachment is opened, it can inject malware code inside your PC. The file might have a name like firefox.exe or something similar to try and throw you off.

The previous variant of the CryptoHitman ransomware could be spread via social media and services for file sharing. DropBox was used as well, so it might be used again for further spread. Visiting unknown websites and clicking on suspicious links is surely another way of getting infected by the ransomware.

CryptoHitman Ransomware – Technical Information

The CryptoHitman malware is classified as ransomware and it is a newer variant of the Jigsaw ransomware. The malware will encrypt your files, and they will become locked. You are asked to pay a fixed sum of money in BitCoins as ransom. If you don’t meet the conditions and you don’t pay the exact sum, files will start getting deleted on an hourly basis. Instead of the popular puppet from the “Saw” movies, the ransomware’s theme now is the Hitman character from the video game series and movies.

In the directories %AppData%\Mogfh\, %LocalAppData%\Suerdf\ and %AppData%\System32Work, the following files will be created:

  • suerdf.exe
  • mogfh.exe
  • Address.txt
  • EncryptedFileList.txt

The Windows Registry is also modified. This registry value that is added is:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mogfh.exe %AppData%\Mogfh\mogfh.exe

That registry value is set to make the file mogfh.exe to start automatically. It will launch with every load of the Windows Operating System and initiate the CryptoHitman ransomware.

Next, the ransomware will display a screen with well-known character ‘Hitman’ from the movies and video game series of the same name. On the screen right next to the character lots of pornographic pictures will be displayed. Because of the character and the email that is given for contacting the ransomware owners ([email protected]), the ransomware is named CryptoHitman.

Paying instructions are being typed live on the screen as if someone is typing them at that moment:

STF-crypto-hitman-cryptohitman-ransomware-screen-ransom-instructions

You are asked to pay in BitCoins the sum of 150 US dollars within one hour. If you do not – every hour encrypted files will get erased and eventually all of your files will be gone. The sum can double if you don’t pay within 36 hours making it 300 US dollars.

The message shown on screen reads the following:

Your files have been encrypted. We deleted files every hour.
Ransom / Ransompensa ID: 11066578
You must pay $150 USD in Bitcoins to the address specified below.
Depending on the amount of files you have your Ransom can double to $300
If you don’t pay within 36 hours.
Take a picture of the BTC address, Ransom ID and contact email.
We will delete files everyhour until you pay!
If you do not have Bitcoins visit www.localbitcoins.com to purchase.
Your payment BTC Address is 32j32oj46jhj547U32bhb6HjvfdjfdhghP
Everytime you restart your computer it recrypts everything. It will take a while
for you to see the this screen again. Take a photo in case you want to contact us.
Every time you restart the computer you run the risk of damaging the hard drive.
Questions – email us: [email protected]

3 files will be deleted. 3 archivos seran borrados.

Send – Envie $150 worth of Bitcoins here – de Bitcoins aqui:

Paying ransomware creators is strongly unadvised. Nobody can give you a guarantee that you will get your files restored. Giving money will support the cyber criminals, and also, tempt them to make a newer version of this malware. Besides, at the end of the article, there are restoration methods being outlaid.

The CryptoHitman ransomware will search your storage drives to encrypt files. The ransomware searches for files with over 120 extensions, most of which are these:

→ .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .raw, .rb, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java

The AES algorithm is used for the encryption process and the ransomware puts the .porno extension to all encrypted files. If you restart your computer, there is a high chance that around 1,000 of the encrypted files could get erased from your drives.

A solution to restore your files is found, and if you already restarted your PC after the encryption process was done, you shouldn’t begin to worry as there are Data Recovery programs that can help you.

Remove CryptoHitman Ransomware and Restore .porno Encrypted Files

If CryptoHitman ransomware infected your system, don’t be worried, because there is still a viable solution for file decryption without payment. If you got infected by this ransomware, you should have at least a little bit of experience in removing malware. See the instructions written below to see how to recover your files.

Manually delete CryptoHitman from your computer

Note! Substantial notification about the CryptoHitman threat: Manual removal of CryptoHitman requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CryptoHitman files and objects.
2. Find malicious files created by CryptoHitman on your PC.
3. Fix registry entries created by CryptoHitman on your PC.

Automatically remove CryptoHitman by downloading an advanced anti-malware program

1. Remove CryptoHitman with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by CryptoHitman in the future
3. Restore files encrypted by CryptoHitman
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.