The many faces and tactics of Jigsaw crypto-ransomware
The Jigsaw crypto-ransomware got its name from the main bad guy from the popular horror movie franchise Saw, as its initial ransom note (either in English or Portuguese) shows the image of a very distinctive puppet used in the films.
Another reason for the name is because it tries to create a sense of urgency in the victims – not unlike the sense of urgency of the Jigsaw killer’s victims to avoid a gruesome death – in order to force their hand and make them pay up.
The first time the ransom note is shown, a clock begins to tick away. The victims are told that one of their files will be deleted if they don’t pay in an hour.
“During the first 24 hour you will lose a few files, the second day a few hundred, the third day a few thousand, and so on,” the note states. Also, that 1,000 files will be deleted every time the computer or the malware process is restarted.
And unlike previous malware, this ransomware makes good on that threat.
But luckily for the victims, there is a way to foil the criminals behing the scheme and get their files back, as malware analysts have created a decrypter tool for the ransomware. Bleeping Computer’s Lawrence Abrams, who’s one of the group that developed the tool, did a great write-up on how to use it and what to do beforehand so that the malware stops deleting files.
New Jigsaw versions
Trend Micro researchers are warning that the ransomware might not show the distinct ransomware note that will identify it clearly.
“Another version of JIGSAW doesn’t use the Billy image. The alternate version actually shows adult images, with a message that says ‘YOU ARE A PORN ADDICT.STOP WATCHING SO MUCH PORN. NOW YOU HAVE TO PAY’,” they noted. “Another variant of JIGSAW shows the stock image of pink flowers.”
This is good to know, because in this case it’s crucial for the victims to identify the ransomware quickly and proceed to remediate the problem so that they don’t lose any files. It’s also good to know that the ID Ransomware service is able to identify it and point to resources for the cleanup.
Another thing that points to the identity of the malware are the extensions appended to the encrypted files: Jigsaw uses .KKK, .BTC, .GWS and .FUN.
It was initially unknown how the malware got onto the infected computers, but analysts have since discovered that it was downloaded from a free cloud storage service (likely by other malware already on the computer) and a site offering free cryptominer software (it’s probably bundled with it).
“Crypto-ransomware is getting more and more difficult to avoid. That is why users should back up their data regularly and follow the 3-2-1 rule to make sure their data is secure. This also mitigates any damages occurred during the event of a ransomware,” Trend Micro researchers concluded.