A new ransomware has risen. Known as Jigsaw Ransomware, it is named after the iconic character that appears in the ransomware note. Jigsaw ransomware will encrypt the files and ask victims to pay a ransom of 150 USD worth of Bitcoins or .4 BTC. If the victim takes a long time to pay the ransom, Jigsaw will start deleting files every hour.

Originally labeled as BitcoinBlackmailer.exe, Jigsaw ransomware was built on March 23rd and was released after a week. Jigsaw is distributed via spam emails with malicious attachments, porn sites and part of PUP (potentially unwanted program)/Adware. Once a victim gets infected with Jigsaw ransomware it will start encrypting all the user’s files into .fun, .BTC, .GWS or .KKK extensions and deletes the original files. Jigsaw ransomware pretends to be Mozilla Firefox Brower and Dropbox by using firefox.exe and drpbx.exe process names. The user is welcomed with Billy (the Puppet) image and a ransom note. The ransomware also edits the Windows registry. This adds a new admission that causes the bogus firefox.exe ransomware to launch if the victim tries to restart the system. To retrieve the content, a ransom fee in virtual currency is then demanded from the victims.

Jigsaw ransomware threatens users with a countdown. The face of the protagonist from the horror movie Saw, Billy the Puppet, is shown while victims are informed in English or Portuguese, that files are selected by the hour for deletion if the payment is not made.

jigsaw-ransomware-2

(Source: BleepingComputer.com)

The warning in the image says that only a few files will be deleted in the first 24 hours after which numerous files will be removed every day as long as the payment is delayed. As a punishment, Jigsaw threatens victims that 1000 files will be deleted if they attempt to restart or turn off the system. After 72 hours, the ransomware is programmed to erase all remaining files on the user’s system.

 

The warning messages:

Your computer files have been encrypted. Your photos, videos, documents, etc….
But, don’t worry! I have not deleted them, yet.
You have 24 hours to pay 150 USD in Bitcoins to get the decryption key.
Every hour files will be deleted. Increasing in amount every time.
After 72 hours all that are left will be deleted.

 

If you do not have bitcoins Google the website localbitcoins.
Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.
Send to the Bitcoins address specified.
Within two minutes of receiving your payment your computer will receive the decryption key and return to normal.
Try anything funny and the computer has several safety measures to delete your files.
As soon as the payment is received the crypted files will be returned to normal.
Thank you

and

I want to play a game with you. Let me explain the rules:
All your files are being deleted. Your photos, videos, documents, etc…
But, don’t worry! It will only happen if you don’t comply.
However I’ve already encrypted your personal files, so you cannot access them.

 

Every hour I select some of them to delete permanently,
therefore I won’t be able to access them, either.
Are you familiar with the concept of exponential growth? Let me help you out.
It starts out slowly then increases rapidly.
During the first 24 hour you will only lose a few files,
the second day a few hundred, the third day a few thousand, and so on.

 

If you turn off your computer or try to close me, when I start next time
you will get 1000 files deleted as a punishment.
Yes you will want me to start next time, since I am the only one that
is capable to decrypt your personal data for you.

 Now, let’s start and enjoy our little game together!  

and one in Portuguese:

Eu quero jogar um jogo. Deixe-me explicar as regras:
Todos os seus arquivos serao deletados. Fotos, vídeos, documentos, etc.
Mas nao se preocupe! Só vai acontecer se voce nao cooperar.
Porém, eu já encriptei seus arquivos, entao voce nao consegue mais acessá-los.
A cada hora eu seleciono algum deles para ser excluído permanentemente,
Voce conhece o conceito de crescimento exponencial? Funciona assim:
Começa devagar e acelera depressa
Nas primeiras 24h voce só perderá alguns arquivos
No segundo dia, algumas centenas, no teceiro, milhares, e assim vai
Se voce desligar seu computador ou tentar me fechar
1.000 (MIL) arquivos serao deletados como puniçao
E voce vai querer que eu continue aqui,
já que sou o único que pode devolver seus arquivos
Agora, vamos jogar!
Envie 50 dólares (aproximadamente R$200) em bitcoins para o endereço abaixo
(Se voce nao sabe comprar e enviar bitcoins, procure no Google. É fácil)

(Source: MalwareHunterTeam)

The victim can click on the check payment button once they make the ransom payment. The ransomware queries the http://btc.blockr.io site once the payment is made to verify if the payment has been made to the assigned bitcoin address. The files will be decrypted if the amount of bitcoins are more than the payment amount.

However, the code is written in .NET and thus is not very complicated.

 

How to decrypt the ransomware for free and without losing files

If a system has been infected by Jigsaw, follow the following steps:

  • Immediately open the Task Manager in Windows.
  • Terminate all the processes relating to Firefox (firefox.exe) and Dropbox (drpbx.exe)/ access MCSconfig via the Run command in the Start menu.
  • Disable the start-up entry called firefox.exe that leads to %UserProfile%AppDataRoaminFrfxfirefox.exe.
  • Once the ransomware is terminated and its startup is disabled, decrypt the files with Jigsaw Decrypter.

Though the infection rate is minimal, the functionality of Jigsaw ransomware is unavoidable. With threats and attacks becoming more every day, examples like these make us realize the importance of keeping our systems safe and secure.

 

Detect and Mitigate Threats with Saner

SecPod Saner is a platform that combines endpoint visibility, risk prevention, threat detection and response into one comprehensive solution. Saner detects risks, automatically hardens endpoints and provides continuous visibility and control of endpoints. Saner platform has the ability to proactively detect Jigsaw and other ransomware and mitigate them. Threats are detected in real-time and managed. Combining risk prevention with threat management, Saner provides a comprehensive endpoint security and management solution.

– Rini Thomas

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn
Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>