Jump to content

Recommended Posts

  • ExTS Admin
Posted

The notorious Jigsaw Ransomware has rebranded itself as CryptoHitman and now uses the character from the popular Hitman video games and movies.

In addition to adding the Hitman character to its locker screen, CryptoHitman also covers the lock screen with ****ographic images that are definitely not safe for work.

 

http://img.photobucket.com/albums/v708/starbuck50/hitman-ransomware-locker-blurred.png_zpsvou9dbfo.jpg

Blurred out Hitman Ransomware Locker Screen

 

Like the previous Jigsaw ransomware infections, CryptoHitman will encrypt your data with AES encryption and demand a ransom payment before it will decrypt your files.

In order to pay this ransom you will be required to send payment to cryptohitman@yandex.com.

 

Unfortunately, this version will still delete your files every time you restart the process and when the timer runs down to zero.

 

The only major differences is the new ****ographic locker screen, the use of the Hitman character, the new .****o extension that is added to all encrypted files, and new filenames for the ransomware executables.

Otherwise, this ransomware performs the same as the original Jigsaw Ransomware.

 

A big thanks to Fletch Sec for sharing the sample!

Last, but not least, the owners of the Hitman franchise are not affiliated to this ransomware at all!

 

How to decrypt and remove the Jigsaw Ransomware

 

Thankfully, DemonSlay335was able to modify his existing Jigsaw Ransomware decryptor to also decrypt files encrypted by CryptoHitman.

To decrypt your files, the first thing that you should do is terminate the %LocalAppData%\Suerdf\suerdf.exe

and %AppData%\Mogfh\mogfh.exe processes in Task Manager to prevent any further files from being deleted.

You should then run MSConfig and disable the startup entry related to these executables.

 

Once you have terminated the ransomware and disabled its startup, let's proceed with decrypting the files.

The first step is to download and extract the Jigsaw Decryptor from the following URL:

 

https://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip

 

Then double-click on the JigSawDecrypter.exe file to launch the program.

When the program launches you will be greeted with a screen similar to the one below.

 

http://img.photobucket.com/albums/v708/starbuck50/jigsaw-decrypter_zps0vruv3sz.png

 

To decrypt your files simply select the directory and click on the Decrypt My Files button.

If you wish to decrypt the whole drive, then you can select the C: drive itself.

It is advised that you do not put a checkmark in the Delete Encrypted Files option until you have confirmed that the tool can properly decrypt your files.

 

When it has finished decrypting your files, the screen will appear as below.

 

http://img.photobucket.com/albums/v708/starbuck50/jigsaw-decryption-finished_zps0eivtajb.png

 

Now that your files are decrypted, I suggest that you run an antivirus or anti-malware program to scan your computer for infections.

 

 

 

Source & Credit:

Lawrence Abrams

http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-becomes-cryptohitman-with-****o-extension/

Member of:

UNITE

  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...