How to Recover CryptoHitman Ransomware Files

How to Recover CryptoHitman Ransomware Files

Remove CryptoHitman Ransomware

CryptoHitman Ransomware Description and Removal Instructions:

Malware Category: Ransomware

CryptoHitman Ransomware is a rebranded version of the Jigsaw Crypto-Ransomware virus. CryptoHitman Ransomware targets PCs running Windows OS and covers your dekstop with porn pictures. Every file that has been encrypted will have its extension changed to: .porno or .pornoransom. If you restart the computer or kill the infection`s process, it will delete files from your PC. Fortunately, there is a way of decrypting the files encrypted by CryptoHitman Ransomware.

When running, CryptoHitman Ransomware will start encrypting certain types of files stored on local or mounted network drives using a AES cryptography, with the private key stored only on a control server.

CryptoHitman Ransomware will create help_your_files.html and put a shortcut to it in every folder where a file was encrypted. Those files contain instructions explaining how to pay the ransom. CryptoHitman Ransomware creates the following registry key: HKCU\Software\<unique ID>\. There it stores the configuration information. Also, the encrypted files list is being stored in this registry key: HKCU\Software\<unique ID>\PROTECTED. Also, the encrypted files list is being stored in: %UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt. For the victims to pay the ransom, the virus requests them to send the payment to the following address: cryptohitman@yandex.com. When CryptoHitman Ransomware is initiated on the computer, it will inject deep into the system infecting Explorer.exe and svchost.exe, modify the registry to start with Windows, and disable the Automatic Repair feature. Once active, it will start the processes of encrypting files. These types of ransomware are very hard to detect. Nevertheless, the virus will show its presence after the encryption finishes.

CryptoHitman Ransomware will not just encrypt files and block your computer, it will also collect valuable information that will be sent to the control server. Such software could lead to more malware coming into your computer and even cause a loss of data. Such threats are not to be underestimated!

If you are infected, we at SpywareTechs.com recommend you to download SpyHunter Malware Security Suite in order to remove the infection automatically:



Once you get rid of CryptoHitman Ransomware (see how to remove CryptoHitman Ransomware in our article), you can try to recover your files using the methods below:

How to Recover Files Encrypted by CryptoHitman Ransomware:

You can try to recover your files from a system backup. If there is no backup available, one can try to restore the files using the Shadow Copy Service. Windows XP Service Pack 2 and future versions have an integrated feature called Shadow Copy Service which will automatically create backup copies of your files. This method is not bullet-proof, as CryptoHitman Ransomware may delete the shadow copies.

1. How to Restore Files Using the Shadow Copy Service:

Method 1. Using Windows Previous Version tab:

*The Windows System Protection service must`ve been enabled before the infection, otherwise it will not work.

  1. Right-click on the encrypted file, select Properties from the menu.
  2. Click on “Previous Version” tab (If missing, this means that Windows System Protection has not been enabled).
  3. Choose a previous version copy and click on the Copy button. Select a directory you wish to recover the file to, or you can try to restore the selected file, directly, by hitting the Restore button.

The method could be used to recover an entire folder. Just right-click on the highlighted folder and select Properties, and then Previous Version tab.

Method 2. Using Shadow Explorer:

Using Shadow Explorer to restore whole folders. You can download the program from the link below:


Download and run the program. A list of available drives will show up on the left side. Beside it, you will see available dates for created shadow copies. One could select the drive and the date to restore to.


2. How to Recover Files Encrypted by CryptoHitman Ransomware using DemonSlay335`s Decryption Tool:

DemonSlay335 from Bleeping Computer has modified his Jigsaw Ransomware Decrypter tool to work with this virus. Please note that some files may fail to be decrypted.

CryptoHitman Ransomware Decryption Tool

*Before proceeding with the steps below, please open Task Manager and kill the processes: %LocalAppData%\Suerdf\suerdf.exe and %AppData%\Mogfh\mogfh.exe. From MSConfig turn off the startup entry related to the aforementioned files.

1. Download JigSawDecrypter.zip from the following link and save it on your desktop:


2. Once you`ve downloaded it, extract the archive and double-click on the JigSawDecrypter.exe to run it.

3. Click on “Select Directory” to select the path.

4. Click on “Decrypt My Files” button to start the decryption. When the process finishes, a message in green “Files Decrypted!” will appear.


Nevertheless, if you want to be protected from CryptoHitman Ransomware, get SpyHunter!


John Moore

Owner of SpywareTechs.com. I specialize in malware and spyware removal. Researching new malware threats that emerge on the internet. Computers are my hobby since...well more than 10 years. I posses strong knowledge of computer internals and operating systems. However, I use my skills to join the everyday fight against malware and spyware. Follow me on Google+ to stay updated on how to remove the newest infections.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.