Jigsaw ransomware takes a .PORNO twist and a new name

Fortunately, it’s still possible to decrypt your files.

Jigsaw ransomware takes a .PORNO twist and a new name

The developers of Jigsaw ransomware have renamed their malicious creation, given it a new file extension, and outfitted it with a new lock screen.

Jigsaw rebranded with the name "CryptoHitman," now appends the extension .PORNO to every file it encrypts.

This is not by coincide. The ransomware's new lock screen not only incorporates an image of Agent 47, the main protagonist in the Hitman video game series, but it also displays a series of pornographic images on the victim's computer.

Taken from bleepingcomputer.com

A blurred out image of CryptoHitman's lock screen. Source: BleepingComputer

CryptoHitman also asks that victims send their ransom payment to "cryptohitman@yandex.com."

Other than those modest alterations, however, CryptoHitman is an exact copy of Jigsaw ransomware. As explained by Lawrence Abrams of Bleeping Computer:

"The only major differences is the new pornographic locker screen, the use of the Hitman character, the new .porno extension that is added to all encrypted files, and new filenames for the ransomware executables. Otherwise, this ransomware performs the same as the original Jigsaw Ransomware."

That means CryptoHitman still deletes hundreds if not thousands of a victim's files for every reboot of the computer and for every hour the victim does not pay the USD$150 ransom fee.

Ransom demand

That's the bad news. The good news is that Michael Gillespie, a security researcher and member of MalwareHunterTeam, has updated the the Jigsaw ransomware decryptor so that it now decrypts files affected by CryptoHitman.

To use the decryptor, you need to first terminate %LocalAppData%\Suerdf\suerdf.exe and %AppData%\Mogfh\mogfh.exe in TaskManager and then use MSConfig to disable the startup entry related to those processes. Doing so will terminate the ransomware and prevent it from deleting any more of your files.

Once that's done, download Gillespie's decryption utility here and select the directory you would like the tool to decrypt or decrypt your entire hard drive if you prefer. The utility will then decrypt all of your selected files.

Your files will be restored to their decrypted state, but that doesn't mean they're necessarily free of infection. With that in mind, make sure you an anti-virus solution on your computer and use it to scan your files for your infections.

You just removed CryptoHitman from your computer; you don't want any other uninvited malicious software hanging around for the after-party.

As for ordinary users who haven't been infected by CryptoHitman, watch out for suspicious links, keep yourself patched and securely back up your data just in case.

Tags: , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

No comments yet.

Leave a Reply