Jigsaw ransomware uses live chat to relay payment instructions

Got a question? Ask a ransomware author!

Jigsaw ransomware uses live chat to relay payment instructions

Some new variants of Jigsaw ransomware are now relaying payment instructions to their victims via a live chat feature.

Back in mid-April, researchers first came across Jigsaw. Variants of this ransomware family target 240 different file extensions, encrypt all relevant files with AES encryption, and append a .FUN, .KKK, .GWS, or .BTC extension to them.

Jigsaw demands $150 in exchange for the ransom key.

But this crypto-ransomware is not a passive captor of affected users' files.

The malware displays two things to a user once it has successfully infected a machine: a ransom message and a countdown timer starting at 60:00.

Jigsaw ransom note

Every time the timer reaches 0:00, Jigsaw will delete an increasingly greater number of a victim's encrypted files.

The ransomware will also penalize a victim for bad behavior, such as turning off the computer, by automatically deleting 1,000 files.

It will then remove all remaining files if the user has failed to pay within three days of having become infected.

Fortunately, researchers were able to develop a free decryption tool for users affected by Jigsaw. The ransomware authors tried to circumvent that utility by rebranding Jigsaw as CryptoHitman, adding a new lockscreen, and appending .PORNO to all encrypted files. But they didn't fool researchers. They simply updated their decryptor.

Hitman ransomware locker blurred 768x455

Notwithstanding all of their bad luck so far, it would appear the ransomware authors are still committed to updating Jigsaw.

Researchers at Trend Micro recently observed some variants of the crypto-malware sporting something new: a new lockscreen with a link to a live chat feature through which the ransomware authors can communicate their payment demands to victims in real-time.

Jigsaw1

Jigsaw3

After taking a closer look, the researchers determined that Jigsaw is not using its own chat client. Instead it is using onWebChat, a publicly available chat feature.

Trend Micro has reached out to onWebChat about the ransomware authors using its software.

The researchers also took some time to wonder at the decision to incorporate a live chat feature into the latest Jigsaw variants:

"There are some perverse incentives at work for cybercriminals to decide to focus on their 'customers' (i.e., victims) in this way. Whatever those incentives may be, the victims of this crime now have an immediate, human voice to go to when their files are encrypted. This may predispose them to pay up if they are victimized – something we do not encourage."

Don't let ransomware authors sweet-talk you into fulfilling their demands. Instead make sure you have backed up your data so that you can restore your files without paying the ransom.

To prevent a ransomware infection, make sure you avoid clicking on suspicious links and email attachments, maintain an up-to-date anti-virus solution on your computer, and implement software updates as soon as they become available.

(Visited 2,887 times, 1 visits today)

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

No comments yet.

Leave a Reply