The Jigsaw ransomware has taken on a new name and a new twist to its encryption extension.


It is now called "CryptoHitman" and appends the extension ".porno" to the encrypted files. It displays an image of Agent 47 along with porno pictures.

It gives instructions to purchase bitcoins and send the money to "cryptohitman@yandex.com."

Lawrence Abrams of Bleeping Computer explains how it is just Jigsaw rebranded:

"The only major differences is the new pornographic locker screen, the use of the Hitman character, the new .porno extension that is added to all encrypted files, and new filenames for the ransomware executables. Otherwise, this ransomware performs the same as the original Jigsaw Ransomware."

It still acts like Jigsaw as it encrypts hundreds of user files and demands a $150 ransom. But there are ways to thwart the ransomware. Michael Gillespie, a security researcher and member of MalwareHunterTeam has updated the decryptor.

First you need to use TaskManager to disable these files - "%LocalAppData%\Suerdf\suerdf.exe" and "%AppData%\Mogfh\mogfh.exe". Then start MSConfig and disable the startup programs related to those files.

You can download Gillespies decryptor here.

Once you have your files back, go the extra mile and scan your system with your AV software.

Source: GrahamCluley