The Check Point security experts reported that during the weekend they found a way to decrypt files locked by the two versions of Jigsaw ransomware.
Jigsaw ransomware came out in April, this year. The threat made a big name for itself because it was deleting files from the victim’s computer as time went by without receiving a ransom payment. Additional computer restarts would also delete another 1,000 files.
When Jigsaw first appeared, security experts created a free Jigsaw decrypter, however, it stopped working after some subsequent updates, which the ransomware received on a regular basis. Currently, Jigsaw is knows as one of the most updated ransomware variants, with new versions coming out almost every week.
The Check Point team researchers say they have identified a weakness not in the encryption process, but in how Jigsaw handles the ransom payment.
Other ransomware families use a Tor-based website to handle payments, while Jigsaw just prints a Bitcoin wallet address on the victim’s PC via a special ransom note and tells the users to press the “I made a payment, now give me back my files!” button after they made the payment. Pressing this button starts a request from the user’s PC to an online API that checks if a payment was received to that specific Bitcoin wallet.
Most ransomware families handle payments on their own websites because users can tamper with the responses that come back from the API.
The Check Point team created a tool which intercepts and mimics a positive API response. This tool gives Jigsaw this fake API response and the ransomware thinks the payment was made, starting the decryption process that ends with Jigsaw unlocking all encrypted files and deleting itself from the infected system.
The tool, which works with both newer and older Jigsaw versions, can be downloaded from here, and below are Check Point’s instructions for using it. Most probably, the decryption trick has been discovered by Peter Kleissner, who tweeted about it a week ago.
1. Unpack the JPS.zip file.
2. In the Jigsaw Puzzle Solver folder, right click ‘JPS.exe’ and click ‘run as administrator’.
3. Follow the instructions displayed on the screen.