The notorious Jigsaw Ransomware has rebranded itself as CryptoHitman and now uses the character from the popular Hitman video games and movies. In addition to adding the Hitman character to its locker screen, CryptoHitman also covers the lock screen with pornographic images that are definitely not safe for work.

Like the previous Jigsaw ransomware infections, CryptoHitman will encrypt your data with AES encryption and demand a ransom payment before it will decrypt your files. In order to pay this ransom you will be required to send payment to cryptohitman@yandex.com.
Unfortunately, this version will still delete your files every time you restart the process and when the timer runs down to zero.
The only major differences is the new pornographic locker screen, the use of the Hitman character, the new .porno or .pornoransom extension that is added to all encrypted files, and new filenames for the ransomware executables. Otherwise, this ransomware performs the same as the original Jigsaw Ransomware.
A big thanks to Fletch Sec for sharing the sample! Last, but not least, the owners of the Hitman franchise are not affiliated to this ransomware at all!
How to decrypt and remove the Jigsaw Ransomware
Thankfully, DemonSlay335was able to modify his existing Jigsaw Ransomware decryptor to also decrypt files encrypted by CryptoHitman. To decrypt your files, the first thing that you should do is terminate the %LocalAppData%\Suerdf\suerdf.exe
and %AppData%\Mogfh\mogfh.exe processes in Task Manager to prevent any further files from being deleted. You should then run MSConfig and disable the startup entry related to these executables.
Once you have terminated the ransomware and disabled its startup, let's proceed with decrypting the files. The first step is to download and extract the Jigsaw Decryptor from the following URL:
https://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip
Then double-click on the JigSawDecrypter.exe file to launch the program. When the program launches you will be greeted with a screen similar to the one below.

To decrypt your files simply select the directory and click on the Decrypt My Files button. If you wish to decrypt the whole drive, then you can select the C: drive itself. It is advised that you do not put a checkmark in the Delete Encrypted Files option until you have confirmed that the tool can properly decrypt your files.
When it has finished decrypting your files, the screen will appear as below.

Now that your files are decrypted, I suggest that you run an antivirus or anti-malware program to scan your computer for infections. If you need help decrypting CryptoHitman files, you can ask for help in this support topic: CryptoHitman Ransomware Support and Help Topic (.Porno Extension Jigsaw variant).
Updates:
5/17/16 - CryptoHitman was updated to use the .pornoransom extension.
Files associated with the CryptoHitman:
%LocalAppData%\Suerdf\
%LocalAppData%\Suerdf\suerdf.exe
%AppData%\Mogfh\
%AppData%\Mogfh\mogfh.exe
%AppData%\System32Work\
%AppData%\System32Work\Address.txt
%AppData%\System32Work\dr
%AppData%\System32Work\EncryptedFileList.txt
Registry entries associated with the CryptoHitman:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mogfh.exe %AppData%\Mogfh\mogfh.exe
Comments
ScathEnfys - 7 years ago
Thank goodness they didn't fix the flaw... As a note, you're going to want to change the desktop background too after removing the RW ^_^
The style of this new variant continues the "joke" trend of the original IMO. Whoever is making this RW seems to have a sick sense of humor.
Demonslay335 - 7 years ago
The BTC address unfortunately had 4 transactions (plus immediate withdrawals) when I looked. The one victim I encountered had already restored from backups, so no foul for them, just gave us a heads-up which started the hunt. :)
Demonslay335 - 7 years ago
New variant with extension ".pornoransom". Decrypter has been updated.
Lawrence Abrams - 7 years ago
Thanks..added it to the new article.
OrlandoFoodScene - 7 years ago
Is there any reason not to remove the hard drive from the computer and run this decrypt on another system via an external USB connected adapter?
I have a clients laptop with the .pornoransom, and I would hate to have the ransomware delete more files simply to boot it up.
The system I would be using to do the decrypting is a standalone box and isn't used for anything special (not that i would be worried of something jumping from the laptop HD to it). Thank you for your AMAZING work!
Demonslay335 - 7 years ago
The decrypter can be ran from another system without any problems. Nothing on the original system is used to decrypt.
OrlandoFoodScene - 7 years ago
Thanks for the quick reply! I'm sure my client will be happy to hear that :).
Any chance you want to add that to the information above? Just in case someone thinks that you have to boot the system to get the data, which would potentially risk having a random assortment of files deleted that you could recover by removing the drive and doing it externally.
Again, you guys are f-ing heros!