CryptoHitman Ransomware Removal Guide

Do you know what CryptoHitman Ransomware is?

CryptoHitman Ransomware is the newest variant of the malicious Jigsaw Ransomware. This clandestine threat is extremely aggressive because unlike other infamous threats of its kind, such as Mobef Ransomware or Salam Ransomware, it does not give the user much time to make any decisions or look for ways to evade this threat. Most ransomware infections analyzed in our internal lab provide 24-72 hour period in which the victim can pay a ransom to retrieve the encrypted files. Well, in this case, the infection only gives an hour to pay the ransom, and if the demand is not met, files are deleted. The good news is that this threat does not erase all files at once. Instead, it selects several random files and erases them every hour until the payment is made. Some users think that they can solve all problems by removing CryptoHitman Ransomware. If you get rid of this threat, it will no longer erase files; however, they will remain encrypted.

The distribution of CryptoHitman Ransomware is not very surprising, as it uses the same method most ransomware infections use, which is spam email scams. The creator of this infection is most likely to disguise the installer of this threat as a photo, a document, or another file that would not raise suspicion. Computer users are usually careful about links, but they are still sometimes careless with files, especially when they are introduced to them via emails addressed to them personally and emails containing seemingly legitimate information. If you open this seemingly harmless file, the ransomware is immediately executed, malicious components are created, and the file encryption begins. Some of the file types that CryptoHitman Ransomware was seen encrypting include .avi, .bmp, .mov, .txt, .wma, .wmv, .dat, .docx, .flv, and .java. These files are encrypted with AES encryption, and, after the process, they gain the .porno extension (e.g., According to our research, this malicious ransomware can encrypt files in all directories, including ProgramFiles, Windows, and Temp, which is not very common for ransomware either.CryptoHitman Ransomware Removal GuideCryptoHitman Ransomware screenshot
Scroll down for full removal instructions

Once the files are encrypted, a notification pop-ups explaining what the user is required to do in order to retrieve the files encrypted. Here is an excerpt from this notification.

Your files have been encrypted. We will delete files every hour.
Ransom / Ransompensa ID: [id number]
You must pay $150 USD in Bitcoins to the address specified below.
Depending on the amount of files you have your Ransom can double to $300
If you dont pay within 36 hours.

The notification also includes an address that you are required to pay the ransom. An email address ( is also provided to make it easier for you to contact the developers of the malicious threat in case you have any questions. The most disturbing part of this screen-size notification is the pornographic images that are shown – along with the image of the main character from the Hitman game – for no apparent reason. This is the only link to the “.porno” extension that is attached to the files encrypted. Of course, once you get over that, you are shocked again with the ransom that, according to the notification, might go up to $300, and this is a huge sum, especially since there is a risk of losing it for nothing in return. Are you sure that cyber criminals will decrypt your files if you pay the ransom? Well, they are not known for their conscience, and it is possible that they will be done with you the moment you make the payment.

You will not get your files decrypted by removing CryptoHitman Ransomware, but you must eliminate this infection if you want to stop the removal of your files. You can get rid of this threat without any worry if your files are backed up, and you can easily transfer them onto your PC or access them once you erase the ransomware. If you are stuck, you should try researching decryption tools that might help you decrypt them without having to deal with cyber criminals or pay them any money. The instructions are fairly simple, and it is unlikely that you will have any trouble following them. If you do, start a discussion below. Also, do not forget to implement reliable anti-malware/security software afterward to defend your PC from malware in the future.

Delete CryptoHitman Ransomware from Windows

  1. Tap Win+R keys (simultaneously) to launch RUN.
  2. Type regedit.exe and click OK to access Registry Editor.
  3. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  4. Right-click the value called mogfh.exe and select Delete.
  5. Tap Win+E keys (simultaneously) to launch Explorer.
  6. Enter %LOCALAPPDATA% into the address bar (or %UserProfile%\Local Settings\Application Data\).
  7. Right-click the Suerdf folder and select Delete.
  8. Enter %APPDATA% into the address bar.
  9. Right-click the Mogfh folder and select Delete.
  10. Move to the System32Work folder and Delete these files: dr, Address.txt , EncryptedFileList.txt.

In non-techie terms:

CryptoHitman Ransomware is an infection, and it deserves removal. The problem is that most of its victims will postpone the removal process because of the encrypted files. Well, the longer you wait deciding what you want to do (pay the ransom, use third-party decryptions tools, or lose the files), this ransomware will aggressively erase the files every hour you spend thinking. Hopefully, at the end of it all, you will not need to follow the demands of cyber criminals, and you will find a way to decrypt your personal files without getting involved with crooks. If you want to ask us anything, start a discussion below.