A brand new ransomware has just appeared. It not only encrypts your files, but also deletes them in case it takes you too long to pay the ransom of $150 USD.
The new ransomeware is called Jigsaw, and it carries the name of the iconic character which appears in the ransom note. Jigsaw deletes files every hour and each time the infection starts until you pay the ransom. Currently, there is no information on how this ransomware is distributed. Fortunately, there is a method which allows victims to decrypt their files free of charge.
This is not the first time when ransomware threatens to delete files, however, this is the first time when one has carried out its threats. To be precise, Jigsaw ransomware deletes files every 60 minutes and when the program is restarted.
Jigsaw ransomware deletes a file on your PC hourly and increment a counter. Over time this counter causes more than one file to be deleted every hour.
However, the amount of files that are deleted every time the ransomware starts is even more destructive. After the initial infection, when the ransomware it restarted, whether that be from a reboot or terminating the process, Jigsaw will delete a thousand files from the victim’s PC. Apparently, this process is being used to pressure the victim into paying the ransom as fast as possible.
Fortunately, the security researchers found a way for decrypting Jigsaw ransomware for free. Based on the the analyzed information, Demonslay335 has released a decryptor which can decrypt files encrypted by the Jigsaw Ransomware.
In order to decrypt your files, you should terminate the firefox.exeand drpbx.exe processes in Task Manager first, so that you can prevent any further files from being deleted. After that, you have to run MSConfig and disable the startup entry called firefox.exe which points to the %UserProfile%\AppData\Roaming\Frfx\firefox.exe executable.
After you have terminated the ransomware and disabled its startup, you can proceed with decrypting your files. To decrypt them, you should only select the directory and click on the Decrypt My Files button. If you want to decrypt the whole drive, you’ll have to select the C: drive itself.
Do not put a checkmark in the Delete Encrypted Files option until you have confirmed that the tool can properly decrypt your files. Once the files are decrypted, you’d better run an antivirus or anti-malware program to scan your PC for infections.
Being launched, the Jigsaw ransomware scans your drives for certain file extension, encrypts them using AES encryption, and appends the .FUN extension to the filename.
When encrypting a file it will add the filename to a list of encrypted files located at %UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt. It will also assign a bitcoin address and save it in the%UserProfile%\AppData\Roaming\System32Work\Address.txt file.
Last, Jigsaw will set an autorun that starts ransomware each time you login to Windows. However, each time the ransomware starts, it will delete 1,000 of the encrypted files.
The ransom note includes a 60 minute timer which counts down to 0. Once it reaches 0, it deletes a certain amount of files depending on how many times the counter has reset. Every time the timer resets, a counter will increase, which will cause more files to be deleted on the next reset.
The text of this ransom note is:
“Your computer files have been encrypted. Your photos, videos, documents, etc….
But, don’t worry! I have not deleted them, yet.
You have 24 hours to pay 150 USD in Bitcoins to get the decryption key.
Every hour files will be deleted. Increasing in amount every time.
After 72 hours all that are left will be deleted.
If you do not have bitcoins Google the website localbitcoins.
Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.
Send to the Bitcoins address specified.
Within two minutes of receiving your payment your computer will receive the decryption key and return to normal.
Try anything funny and the computer has several safety measures to delete your files.
As soon as the payment is received the crypted files will be returned to normal.
After a victim pays the ransom, they can click on the check payment button. Once this button is clicked, the ransomware queries the http://btc.blockr.io/ site to see if a payment has been made to the assigned bitcoin address. In case the amount of bitcoins in the assigned address is greater than the payment amount, it will automatically decrypt the victim’s files.