Jigsaw Ransomware: Pay or Say Goodbye to Files Hourly

  • Post author:
  • Reading time:7 mins read

A new ransomware has risen. Known as Jigsaw Ransomware, it is named after the iconic character that appears in the ransomware note. Jigsaw ransomware will encrypt the files and ask victims to pay a ransom of 150 USD worth of Bitcoins or .4 BTC. If the victim takes a long time to pay the ransom, Jigsaw will delete files every hour. A good Vulnerability Management Tool can prevent these attacks.

Originally labeled as BitcoinBlackmailer.exe, Jigsaw ransomware was built on March 23rd and was released after a week. Jigsaw is distributed via spam emails with malicious attachments, porn sites and part of PUP (potentially unwanted program)/Adware. Once a victim gets infected with Jigsaw ransomware, it will start encrypting all the user’s files into .fun, .BTC, .GWS or .KKK extensions and deletes the original files. Jigsaw ransomware pretends to be Mozilla Firefox Brower and Dropbox by using firefox.exe and drpbx.exe process names. The user is welcome with an image of Billy (the Puppet) and a ransom note. The ransomware also edits the Windows registry. This adds a new admission that causes the bogus Firefox.exe ransomware to launch if the victim tries to restart the system. To retrieve the content, a ransom fee in virtual currency is then demand from the victims. Vulnerability Management System can resolve these issues.

Jigsaw ransomware threatens users with a countdown. The face of the protagonist from the horror movie Saw, Billy the Puppet, is showing while victims are informing in English or Portuguese that files are select by the hour for deletion if the payment is not present.

jigsaw-ransomware-2

(Source: BleepingComputer.com)

The warning in the image says that only a few files will delete in the first 24 hours, after which numerous files will remove daily as long as the payment is delaying. As a punishment, Jigsaw threatens victims that 1000 files delete if they attempt to restart or turn off the system. After 72 hours, the ransomware is program to erase all remaining files on the user’s system.

The warning messages:

Your computer files have been encrypted. Your photos, videos, documents, etc….
But, don’t worry! I have not deleted them, yet.
You have 24 hours to pay 150 USD in Bitcoins to get the decryption key.
Every hour files will be deleted. Increasing in amount every time.
After 72 hours all that are left will be deleted.

If you do not have bitcoins Google the website localbitcoins.
Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.
Send to the Bitcoins address specified.
Within two minutes of receiving your payment your computer will receive the decryption key and return to normal.
Try anything funny and the computer has several safety measures to delete your files.
As soon as the payment is received the crypted files will be returned to normal.
Thank you

and

I want to play a game with you. Let me explain the rules:
All your files are being deleted. Your photos, videos, documents, etc…
But, don’t worry! It will only happen if you don’t comply.
However I’ve already encrypted your personal files, so you cannot access them.

Every hour I select some of them to delete permanently,
therefore I won’t be able to access them, either.
Are you familiar with the concept of exponential growth? Let me help you out.
It starts out slowly then increases rapidly.
During the first 24 hour you will only lose a few files,
the second day a few hundred, the third day a few thousand, and so on.

If you turn off your computer or try to close me, when I start next time
you will get 1000 files deleted as a punishment.
Yes you will want me to start next time, since I am the only one that
is capable to decrypt your personal data for you.

 Now, let’s start and enjoy our little game together!  

and one in Portuguese:

Eu quero jogar um jogo. Deixe-me explicar as regras:
Todos os seus arquivos serao deletados. Fotos, vídeos, documentos, etc.
Mas nao se preocupe! Só vai acontecer se voce nao cooperar.
Porém, eu já encriptei seus arquivos, entao voce nao consegue mais acessá-los.
A cada hora eu seleciono algum deles para ser excluído permanentemente,
Voce conhece o conceito de crescimento exponencial? Funciona assim:
Começa devagar e acelera depressa
Nas primeiras 24h voce só perderá alguns arquivos
No segundo dia, algumas centenas, no teceiro, milhares, e assim vai
Se voce desligar seu computador ou tentar me fechar
1.000 (MIL) arquivos serao deletados como puniçao
E voce vai querer que eu continue aqui,
já que sou o único que pode devolver seus arquivos
Agora, vamos jogar!
Envie 50 dólares (aproximadamente R$200) em bitcoins para o endereço abaixo
(Se voce nao sabe comprar e enviar bitcoins, procure no Google. É fácil)

(Source: MalwareHunterTeam)

The victim can click the check payment button once they make the ransom payment. The ransomware queries the http://btc.blockr.io site once the payment is complete to verify if the payment  made to the assigned Bitcoin address. The files will be decrypting if the number of bitcoins exceeds the payment amount.

However, the code is in .NET and thus, there is no complication.

How to decrypt the Jigsaw ransomware for free and without losing files

If Jigsaw ransomware has infected a system, follow the following steps:

  • Immediately open the Task Manager in Windows.
  • Terminate all the processes relating to Firefox (firefox.exe) and Dropbox (drpbx.exe)/ access MCSconfig via the Run command in the Start menu.
  • Disable the start-up entry called firefox.exe that leads to %UserProfile%AppDataRoaminFrfxfirefox.exe.
  • Once the ransomware terminated and its startup is disabling, decrypt the files with Jigsaw Decrypter.

Though the infection rate is minimal, the functionality of Jigsaw ransomware is unavoidable. With threats and attacks becoming more every day, examples like these make us realize the importance of keeping our systems safe and secure.

Detect and Mitigate Threats with Saner

SecPod Saner is a platform that combines endpoint visibility, risk prevention, threat detection and response into one comprehensive solution. Saner detects risks, automatically hardens endpoints and provides continuous visibility and control of endpoints. The Saner platform has the ability to detect Jigsaw and other ransomware and mitigate them proactively. Threats are detecting in real time and managed. Combining risk prevention with threat management, Saner provides a comprehensive endpoint security and management solution.

– Rini Thomas