Michael Gillespie uncovered a new version of the Jigsaw Ransomware that has changed its background theme for the ransom note to “Anonymous”.
While the older variants of Jigsaw used a Guy Fawkes mask for the ransom screen, this new one clearly indicates anonymity, as it now states: “We are Anonymous. We Are Legion. We do not forget. We do not forgive. Expect us.”
The newly-found Jigsaw version encrypts victims` files using AES encryption and then demands $250 USD in bitcoins as a ransom. At first, the malware installs itself to %UserProfile%AppData\Local\MS\app_roaming.exe. Then it disguises itself by creating an autorun named Microsoft Defender to mislead the victim it’s a Microsoft Defender program. After it has done all that it shows a screen stating: “Status: Scan initiated”
Meanwhile, the data on the local drives is being encrypted. Jigsaw appends the “.xyz” extension at the end of all encrypted files. When the encryption process is completed, the Anonymous Jigsaw ransom screen appears with the following message:
“Your data has been fully encrypted But, don’t worry! this can be temporary. Follow the instructions and this virus will decrypt all the data and then remove itself However, time is crucial. Every hour, it will select some of them, and delete permanently. PLEASE NOTE: If you or your Anti-Virus attempts to remove this virus, You will be responsible for getting rid of the ONLY way to getting your DATA back. During the first 24 hours you will only loose a few items, actioned every hour the second day a few hundred, the third day a few thousand. If you turn off your computer or attempt remove the virus or try to close this window, it will start up again and WILL delete 1000 files as a punishment. Once you make the payment, click the confirmation button below and it will begin to automaticly decrypt process all data and the virus will remove itself once completed. The ball is now in your court”
Luckily, even this anonymous Jigsaw model is still easy to decrypt and Gillespie`s dectyptor has been updated to work against this new version. All victims are advised to stop the app_roaming.exe process via task manager first, so it doesn’t delete any data, and then start the decryption process