Jigsaw ransomware decrypted yet again - using a simple trick

But don’t think the crypto-malware is down and out.

Jigsaw ransomware decrypted yet again - using a simple trick

Researchers have found a simple trick they can use to once again decrypt the notorious Jigsaw ransomware.

The Check Point Threat Intelligence Research team explain they made their discovery on Friday while investigating the ransomware's user interface.

111

"When the user presses the ‘I made a payment, now give me back my files!’ button, the program makes an HTTP GET request to:

btc.blockr[.]io/api/v1/address/balance/

and as a response, gets the following

json: {“status”:”success”,”data”:{“address”:””,”balance”:0,”balance_multisig”:0},”code”:200,”message”:””}

This got us thinking – what if we change the request, so it queries a different account? Perhaps one that holds the necessary amount of Bitcoins to decrypt our files? Or even better - what if we change the response to say we have the necessary amount?"

Curious, the researchers changed the "balance" variable from 0 to 10. To their delight, Jigsaw interpreted this change as receipt of payment and began decrypting the files!

But it gets better. The decryption trick appears to work on older variants of Jigsaw. Once complete, the process also leaves no trace of the ransomware on an infected machine.

Jigsaw ransom note 768x631

Researchers have successfully decrypted every version of this file-deleting ransomware since its discovery back in April, including its "CryptoHitman" alter-ego. Jigsaw has made several updates in that time span, including the addition of a live chat feature. But none of those features have put a stop to the work of several knowledgeable security researchers.

Check Point has built a decryption tool that incorporates this latest trick. It is freely available for download here.

But even though he's happy about his team's discovery, Lotem Finkelsteen, who leads Threat Intelligence Operations at Check Point, believes we haven't seen the last of Jigsaw:

"The fact that security companies and independent researchers have published decryption tools for it and this did not prevent Jigsaw’s developers from creating and issuing new versions of this ransomware is telling."

With that in mind, users should continue to avoid clicking on suspicious links and email attachments, make sure their anti-virus solution is up-to-date, implement all software updates when they become available, and regularly back up their critical data.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

No comments yet.

Leave a Reply