Years after the first cryptography-based ransomware went onto the cybercrime arena, the money-driven perpetrators have started experimenting with the use of spooky personages to increase their return on investment. One of the new campaigns, for example, engages Billy the Puppet movie character for more efficient intimidation. Aside from the scare tactic alone, the respective infection referred to as the Jigsaw ransomware is nastier than its counterparts, because its impact combines data encryption with irreversible file obliteration in case the victim lingers with paying the ransom.
More specifically, the unscrupulous “game” involves a strong AES cipher to render files unreachable, as well as a recurrent deletion routine going off at specified intervals. Furthermore, the trojan assigns one of the following extensions to every encrypted object: .fun, .gws, .kkk, or .btc. The size of the ransom depends on Jigsaw version and can be anywhere in the range of 200-500 USD.
The distribution of Jigsaw ransomware reportedly involves file downloads hosted on cloud storage resources like 1fichier. Most of the time, the malicious loader is furtively bundled with harmless freeware so that users don’t notice it while installing the core application. The offending program targets more than 200 file formats. When on board a computer, it scans the hard drive for the corresponding extensions, applies the Advanced Encryption Standard to encode everything found, appends a version-specific extension to files, and displays ransom instructions in a separate screen.
The warning message is available in English and Portuguese. It notifies the victim of the fact of personal data encryption and contains information about the sum to pay, the Bitcoin address to send money to, and the time left until a new portion of files is automatically destroyed. Here is how the scheme works: the user has a total of 72 hours to submit the ransom, but the trick is that some data items will be erased every hour even before the 3-day period elapses. The data will be vanishing exponentially, which means that 1 file is deleted 60 minutes after the attack proper, and then the number grows as subsequent 1-hour intervals pass. What’s worse is that 1000 files will be removed every time the ransomware launches – this makes people keep their PCs turned on until the issue is resolved. All in all, the victims may lose most of their files beyond recovery unless they pay during the first 24 hours, although the deadline is in fact bigger. The sooner the user pays up the more files will be left to recover, so this mechanism puts additional pressure on anyone infected.
Luckily, there is some good news for Jigsaw victims. Since the ransomware is built with C#/.NET, IT security enthusiasts have managed to reverse engineer its code and recently created an automatic tool that decrypts the files. It’s called the JigSawDecrypter, and it’s completely free to download and use. Be advised the app doesn’t remove Jigsaw, so the user should also run a reliable antimalware suite to get rid of the threat.