Jigsaw ransomware takes a .PORNO twist and a new name

Fortunately, it’s still possible to decrypt your files.

David bisson
David Bisson
@
@DMBisson

Jigsaw ransomware takes a .PORNO twist and a new name

The developers of Jigsaw ransomware have renamed their malicious creation, given it a new file extension, and outfitted it with a new lock screen.

Jigsaw rebranded with the name “CryptoHitman,” now appends the extension .PORNO to every file it encrypts.

This is not by coincide. The ransomware’s new lock screen not only incorporates an image of Agent 47, the main protagonist in the Hitman video game series, but it also displays a series of pornographic images on the victim’s computer.

Sign up to our free newsletter.
Security news, advice, and tips.
Taken from bleepingcomputer.com
A blurred out image of CryptoHitman’s lock screen. Source: BleepingComputer

CryptoHitman also asks that victims send their ransom payment to “[email protected].”

Other than those modest alterations, however, CryptoHitman is an exact copy of Jigsaw ransomware. As explained by Lawrence Abrams of Bleeping Computer:

“The only major differences is the new pornographic locker screen, the use of the Hitman character, the new .porno extension that is added to all encrypted files, and new filenames for the ransomware executables. Otherwise, this ransomware performs the same as the original Jigsaw Ransomware.”

That means CryptoHitman still deletes hundreds if not thousands of a victim’s files for every reboot of the computer and for every hour the victim does not pay the USD$150 ransom fee.

Ransom demand

That’s the bad news. The good news is that Michael Gillespie, a security researcher and member of MalwareHunterTeam, has updated the the Jigsaw ransomware decryptor so that it now decrypts files affected by CryptoHitman.

To use the decryptor, you need to first terminate %LocalAppData%Suerdfsuerdf.exe and %AppData%Mogfhmogfh.exe in TaskManager and then use MSConfig to disable the startup entry related to those processes. Doing so will terminate the ransomware and prevent it from deleting any more of your files.

Once that’s done, download Gillespie’s decryption utility here and select the directory you would like the tool to decrypt or decrypt your entire hard drive if you prefer. The utility will then decrypt all of your selected files.

Your files will be restored to their decrypted state, but that doesn’t mean they’re necessarily free of infection. With that in mind, make sure you an anti-virus solution on your computer and use it to scan your files for your infections.

You just removed CryptoHitman from your computer; you don’t want any other uninvited malicious software hanging around for the after-party.

As for ordinary users who haven’t been infected by CryptoHitman, watch out for suspicious links, keep yourself patched and securely back up your data just in case.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.