Researchers have released a free decryption tool for Jigsaw, the sadistic ransomware that gradually deletes all of a victim’s encrypted files.
Security expert Lawrence Abrams recently came across one variant of the ransomware, which asks victims to pay a ransom of US $150.
At this time, no one has confirmed how the ransomware is distributed. When it infects a user’s system, however, it targets 240 different unique file extensions, encrypts all relevant files with AES encryption, and appends a .FUN, .KKK, .GWS, or .BTC extension to them.
Here is the list of file extensions that the Jigsaw ransomware targets:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp , .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .Qbw, .QBB, .QBM, .QBI, .QBR , .Cnt, .Des, .v30, .Qbo, .Ini, .Lgb, .Qwc, .Qbp, .Aif, .Qba, .Tlg, .Qbx, .Qby , .1pa, .Qpd, .Txt, .Set, .Iif , .Nd, .Rtp, .Tlg, .Wav, .Qsm, .Qss, .Qst, .Fx0, .Fx1, .Mx0, .FPx, .Fxr, .Fim, .ptb, .Ai, .Pfb, .Cgn, .Vsd, .Cdr, .Cmx, .Cpt, .Csl, .Cur, .Des, .Dsf, .Ds4, , .Drw, .Dwg.Eps, .Ps, .Prn, .Gif, .Pcd, .Pct, .Pcx, .Plt, .Rif, .Svg, .Swf, .Tga, .Tiff, .Psp, .Ttf, .Wpd, .Wpg, .Wi, .Raw, .Wmf, .Txt, .Cal, .Cpx, .Shw, .Clk, .Cdx, .Cdt, .Fpx, .Fmv, .Img, .Gem, .Xcf, .Pic, .Mac, .Met, .PP4, .Pp5, .Ppf, .Xls, .Xlsx, .Xlsm, .Ppt, .Nap, .Pat, .Ps, .Prn, .Sct, .Vsd, .wk3, .wk4, .XPM, .zip, .rar
Once the encryption process is complete, Jigsaw makes itself known to its victim:
“Your computer files have been encrypted. Your photos, videos, documents, etc… But, don’t worry! I have not deleted them, yet. You have 24 hours to pay 150 USD in Bitcoins to get the decryption key. Every hour files will be deleted. Increasing in amount every time. After 72 hours all that are left will be deleted.
If you do not have bitcoins Google the website localbitcoins. Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one. Send to the Bitcoins address specified. Within two minutes of receiving your payment your computer will receive the decryption key and return to normal. Try anything funny and the computer has several safety measures to delete your files. As soon as the payment is received the crypted files will be returned to normal. Thank you.”
There is a 60-minute countdown programmed into the ransom message. When it hits zero, one of your files will be deleted, and the timer will be reset. Only this time the file counter will increase, causing even more files to be deleted.
Try to shut down your computer? The ransomware will delete 1,000 files as punishment. Wait three days? Jigsaw will delete every last one of your files.
Abrams comments that the fact that Jigsaw goes through with its file deletion threats makes it unusual:
“It is not the first time that we have seen ransomware threaten to delete files, but this is the first time that one has actually carried out its threats.”
Users affected by Jigsaw are urged to use Task Manager to terminate the firefox.exe and drpbx.exe processes and use MSConfig to disable the entry firefox.exe. These two steps will disable the ransomware’s startup and will prevent it from deleting any more files.
Next, they should download the Jigsaw Decryptor tool, found here, and use it to decrypt their files.
Finally, they should scan their computers for additional infections via an anti-virus solution.
Jigsaw is a unique ransomware variant. Not only does it actively delete a victim’s files, but for some variants, it expects little from its victims - sometimes as low as US $20 in payment.
As Abrams points out in his post, one cannot help but wonder: are the computer criminals behind Jigsaw actually interested in the money, or are they more invested in screwing with people? Those with nothing to lose are the most despicable form of attacker; they’ll do anything to cause their victims the most amount of distress.
Let us hope this decryptor tool continues to block the nefarious purposes of these bad actors, regardless of their motivations.