Remove CryptoHitman Ransomware and Restore .porno Encrypted Files Successfully - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove CryptoHitman Ransomware and Restore .porno Encrypted Files Successfully

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by CryptoHitman and other threats.
Threats such as CryptoHitman may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

STF-crypto-hitman-cryptohitman-ransomware-screen-ransom-message-note

The CryptoHitman ransomware has a new variant. Now it bears the name CryptoHitman, but its core is more or less the same. Instead of showing the puppet used in the “Saw” movies, the ransomware’s theme now is the Hitman character next to pornographic images. The ransomware encrypts files with over 120 extensions as its previous counterpart. This time, it adds a .porno extension. To see how to restore your files and remove the ransomware, you should read the article to the end, carefully.

Threat Summary

NameCryptoHitman
TypeRansomware
Short DescriptionThe ransomware is a new variant of the Jigsaw ransomware. It encrypts files by adding a .porno extension and asks a ransom for decryption.
SymptomsFiles with more than 120 different extensions can be encrypted. A ‘Hitman’ themed message with instructions for paying the ransom is displayed next to pornographic imagery. Every hour files get deleted if the ransom is not paid.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by CryptoHitman

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CryptoHitman.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoHitman Ransomware – How Did I Get Infected?

You can get infected with the CryptoHitman ransomware from several ways. One of them is via spam e-mails that contain an attachment with a malicious file inside. If the said attachment is opened, it can inject malware code inside your PC. The file might have a name like firefox.exe or something similar to try and throw you off.

The previous variant of the CryptoHitman ransomware could be spread via social media and services for file sharing. DropBox was used as well, so it might be used again for further spread. Visiting unknown websites and clicking on suspicious links is surely another way of getting infected by the ransomware.

CryptoHitman Ransomware – Technical Information

The CryptoHitman malware is classified as ransomware and it is a newer variant of the Jigsaw ransomware. The malware will encrypt your files, and they will become locked. You are asked to pay a fixed sum of money in BitCoins as ransom. If you don’t meet the conditions and you don’t pay the exact sum, files will start getting deleted on an hourly basis. Instead of the popular puppet from the “Saw” movies, the ransomware’s theme now is the Hitman character from the video game series and movies.

In the directories %AppData%\Mogfh\, %LocalAppData%\Suerdf\ and %AppData%\System32Work, the following files will be created:

  • suerdf.exe
  • mogfh.exe
  • Address.txt
  • EncryptedFileList.txt

The Windows Registry is also modified. This registry value that is added is:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mogfh.exe %AppData%\Mogfh\mogfh.exe

That registry value is set to make the file mogfh.exe to start automatically. It will launch with every load of the Windows Operating System and initiate the CryptoHitman ransomware.

Next, the ransomware will display a screen with well-known character ‘Hitman’ from the movies and video game series of the same name. On the screen right next to the character lots of pornographic pictures will be displayed. Because of the character and the email that is given for contacting the ransomware owners ([email protected]), the ransomware is named CryptoHitman.

Paying instructions are being typed live on the screen as if someone is typing them at that moment:

STF-crypto-hitman-cryptohitman-ransomware-screen-ransom-instructions

You are asked to pay in BitCoins the sum of 150 US dollars within one hour. If you do not – every hour encrypted files will get erased and eventually all of your files will be gone. The sum can double if you don’t pay within 36 hours making it 300 US dollars.

The message shown on screen reads the following:

Your files have been encrypted. We deleted files every hour.
Ransom / Ransompensa ID: 11066578
You must pay $150 USD in Bitcoins to the address specified below.
Depending on the amount of files you have your Ransom can double to $300
If you don’t pay within 36 hours.
Take a picture of the BTC address, Ransom ID and contact email.
We will delete files everyhour until you pay!
If you do not have Bitcoins visit www.localbitcoins.com to purchase.
Your payment BTC Address is 32j32oj46jhj547U32bhb6HjvfdjfdhghP
Everytime you restart your computer it recrypts everything. It will take a while
for you to see the this screen again. Take a photo in case you want to contact us.
Every time you restart the computer you run the risk of damaging the hard drive.
Questions – email us: [email protected]

3 files will be deleted. 3 archivos seran borrados.

Send – Envie $150 worth of Bitcoins here – de Bitcoins aqui:

Paying ransomware creators is strongly unadvised. Nobody can give you a guarantee that you will get your files restored. Giving money will support the cyber criminals, and also, tempt them to make a newer version of this malware. Besides, at the end of the article, there are restoration methods being outlaid.

The CryptoHitman ransomware will search your storage drives to encrypt files. The ransomware searches for files with over 120 extensions, most of which are these:

→ .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .raw, .rb, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java

The AES algorithm is used for the encryption process and the ransomware puts the .porno extension to all encrypted files. If you restart your computer, there is a high chance that around 1,000 of the encrypted files could get erased from your drives.

A solution to restore your files is found, and if you already restarted your PC after the encryption process was done, you shouldn’t begin to worry as there are Data Recovery programs that can help you.

Remove CryptoHitman Ransomware and Restore .porno Encrypted Files

If CryptoHitman ransomware infected your system, don’t be worried, because there is still a viable solution for file decryption without payment. If you got infected by this ransomware, you should have at least a little bit of experience in removing malware. See the instructions written below to see how to recover your files.

Note! Your computer system may be affected by CryptoHitman and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as CryptoHitman.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove CryptoHitman follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove CryptoHitman files and objects
2. Find files created by CryptoHitman on your PC

IMPORTANT!
Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by CryptoHitman

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...