What Jigsaw Ransomware is, and how it operates
Firstly: IF YOU SEE THIS IMAGE ON YOUR MONITOR – DO NOT RE-BOOT OR TURN OFF UNTIL YOU HAVE READ THIS!!!!
If the user has seen the 2004 movie Saw [Dir. James Wan], then the appearance of this trojan-ransomware’s graphics on the monitor will still come as a surprise, though with recognition. For users unfamiliar with the brilliant though grotesque psycho-horror story, the impact will be much greater. Then, with the reading of the accompanying text, there will be the anxiety of file-encryption and having to pay a ransom in return for having your files restored. The initial demand is varies, though about 0.4 Bitcoin / $150 U.S for the decryption key (it’s interesting that in the film, an important device/motif in the plot is a physical key on which the characters’ survival depends). But wait – if this usual ransomware extortion activity isn’t enough, the malware threatens to first delete one file every hour until payment is made. This death-rate is only valid for the first 24 hour period, then the timer is reset, the ransom rises and more files per hour are doomed. After 72 hours, it threatens to delete all remaining files. Other ransomware has threatened to delete user files, though this is the first to be able to carry it out.
Now, the fatal blow: the Jigsaw coding also writes an auto-run command into the Start-Up Registry. If the user logs out of Windows, logging back in will result in the immediate extermination of 1 000 innocent files (yes – ONE THOUSAND!). So, it is vital to destroy Jigsaw as soon as possible. It is not yet clear at what point this auto-run/mass-deletion begins to function – watch here for updates.
File-Killer malware is not a new concept. Back in 2003, an real evil piece of horror-ware emerged from the darkness called Trojan.KillFiles.904. It was designed to enter a system covertly and destroy all files silently. As it wiped everything on every drive except for Windows System Files, the victim was often unaware of this annihilation until it was complete. The origin of this trojan was never discovered. Nor was its motive: it didn’t send signals or data back to a hacker, and there were no demands made. Perhaps elements of KillFiles.904 have been resurrected to operate in the coding of Jigsaw…
Okay, so this is pretty gloomy stuff. Though it’s okay – analysts have done a fine job to work out how to slay the monster, and a decrypter has been written by Michael Gillespie [Jigsaw Decrypter] . So, what remains is to understand the possible attack vectors and to avoid Jigsaw. Or, if a user is unlucky enough to become infected – to know how to detect and remove Jigsaw efficiently (see below). Speed is essential to preserve the life of files. To first know the true nature of the beast is vital. The malware makes the ransom demand after encryption is completed, so it is important to spot it as early as possible.
Detect and Eradicate Jigsaw Ransomware
Good scanning software may detect the malware if the databases for a user’s specific product are up to date (websites should confirm this). It is unsure yet what level of evasion capability the infection possess, or how covert it is during encryption. The manual signs to look for are abnormal system behavior such as slower Start-Up and program running or even software crashes. This may also be accompanied by screen-freezes. As the ransomware has multiple tasks, it may call to C&C (Command & Control) server to download further malware elements and this will cause extra traffic at ports. This may be experienced as slower/interrupted browsing or unprompted internet connections being made. If any of these symptoms are noticed, then check for file extension changes, or look for the registry entry changes:
- File extensions used by Jigsaw so far are: .FUN; .KKK; .GWS; .BTC
Encrypted files will be moved to: %UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt
- Registry entry changes:
If any of the above are noted, download Michael’s decryption tool above and make an external backup of all files if a recent one is unavailable. Follow the instructions below to get rid of Jigsaw. And afterward, try to decide how this infection found its way in – for instance, look at any attachments in e-mails that were opened lately (though don’t open them again!), or freeware that was installed recently…and please share any ideas about this with us.
How to decrypt files, encrypted by Jigsaw ransomware?
Please, follow the steps below to successfully decrypt Jigsaw encrypted files:
Step 1: Download the free Jigsaw decrypter.
Step 2: Click “Select Directory” button and choose the folder with encrypted files.
Step 3: (Optional) Click “Delete Encrypted Files”
Step 4: Click “Decrypt” button and wait until the tool finishes the decryption process.
How to Prevent Jigsaw Ransomware
It is not currently known which particular malware method is used to spread Jigsaw, so users should be aware of all routes and harden their security and operating accordingly. Ransomware penetrates a system by exploiting a user’s lack of attention to operating or updating – by taking advantage of a human or system flaw. A common way for it to enter is as part of a bundle of freeware that was installed quickly. Always use the Advanced/Custom option to install and look at what the desired program comes with during the process. If the bundle won’t let the wanted installation take place without everything else being taken – stop and delete; find the freeware somewhere else (preferably directly from the developer’s ‘site – though still check this).
Another popular method to deliver trojans and such is using links or attachments in e-mails – delete unsolicited ‘mail, and to be extra-safe, see [Malicious Micros link, please] for M/S Office 2016 protection. For earlier versions, disable the ActiveX function.
Browser vulnerability is something that can be used by Exploitation Kits (EK)working on compromised sites. Browsers should be kept up to date and Hardened .Freeware and apps should be updated regularly or removed if not used, as EKs can also target these (Adobe apps, Flash Players, Java &c). Fake/compromised freeware updates are also a source of infection. Never trust a pop-up – go direct for the update. It is vital to apply all patches to operating systems.
Implementing Software Restriction Policies can also lessen the risk of malware entry and also prevent it from running in a system – see windows.microsoft.com for more info.
Combine the above practice and maintenance with good anti-malware programs. With a strong firewall set to deny access to TOR and I2P networks, lots of ransomware can be disabled if it enters. Regular scanning with software using both signature-based and heuristic methods can detect a growing number of threats that manage to infiltrate, and so limit damage.
When it comes to ransomware, most important of all, make an external file backup regularly – then you can laugh in Jigsaw’s face!