How to fix CryptoHitman

You may be interested to know that a fix for the newly rebranded CryptoHitman (formerly Jigsaw Ransomware) has been published.

This is a unique ransomware variant which actively deletes a victim’s files if a ransom is not paid. However, the relatively low sums demanded have left many wondering as to the motives of the criminals behind it. Are they really in it for the money, or are they more interested in causing users the maximum inconvenience?

Encrypted files given a .porno extension

CryptoHitman uses AES encryption to prevent computer users from accessing their own files. In addition, it installs a locker screen, showing the main character from the Hitman video game franchise alongside numerous pornographic images. Additionally, .porno and .pornoransom extensions are added to all encrypted files. These are the only major changes from its original incarnation as Jigsaw Ransomware – which was named after the infamous ‘Saw’ villain.

Hackers say that, to remove the encryption, a ransom payment is required to the email address. In the meantime, a clock counts down at one hour intervals throughout the process, at which point a section of files are deleted. If the user forces restarts to try and stop the clock, those files are deleted anyway. Of course, paying out is not the recommended option, as it not only rewards the cybercriminals but often the data – once returned – has been so corrupted that it proves to be of little to no use anyway.

No specific figures have been unveiled for the new incarnation, but Jigsaw Ransomware used to demand between £14 and £140 from infected users. If no money was proffered within 72 hours, the hard drive was wiped.

Fix released on Twitter – call us on 020 8740 6000 for more details

However, a fix has already been identified for the ransomware (that works at the time of writing). The fix, which was identified by Twitter user DemonSlay335, first requires users to terminate the %LocalAppData%\Suerdf\Suerdf.exe and %AppData%\Mogfh\mogfh.exe processes in Task Manager. This prevents the malware from deleting additional files (though some may have already gone).

Next, notes, users need to run MSConfig and disable the startup entry related to these executables. After this, users can then download the Jigsaw decryptor, which can guide individuals through the decryption process. After this, it’s strongly advised that users run a comprehensive antivirus or anti-malware program to identify and remove any potential infections still present.

Leave a comment