Jigsaw

I Want to Play a Game

If malware that can encrypt your filesystem and demand a ransom to decrypt your files isn’t scary enough… I introduce to you the “JIGSAW” crypto ransomware. JIGSAW ransomware is an innovative new way malicious entities are inciting fear into victims in order to further influence them to pay a ransom. JIGSAW, much like the famous blockbuster film “SAW”, plays a game with victims by locking and deleting their files incrementally until the ransom has been satisfied. The ransomware even uses an image of the iconic character from the films in its ransom note. JIGSAW will delete more locked files every hour while the ransom amount increases as well.

Below is an example of JIGSAW infection splash screens an end user will receive:

Jigsaw

Warning

Upon infection, JIGSAW humorously encrypts all of the victim’s files into .fun files. The malware can encrypt over 120 file extension types and can demand upwards of $200 as ransom for your files. The ransom note states that if the victim reboots their computer, 1,000 files will be deleted and no duplicate copy will be retained. When a victim attempts to restart the computer, another threat will be given. After 72 hours, if the user fails to pay the ransom, all encrypted files will be deleted.

On the brighter side of this despicable commontheatre malware, some security researchers have provided a means to decrypt your files without having to pay the ransom. Bleeping Computer and MalwareHunterTeam have discovered a way that victims can decrypt the ransomware for free without having to pay the ransom or risk losing all their files. A kind gesture by these security vendors, however it cannot be guaranteed that their decryption programs will work in every instance of JIGSAW malware infections.

The common infection vector for this malware is malicious email attachments however an infection can arrive via download from illegitimate or unsavory websites. My advice on avoiding this particularly nasty malware is to practice safe web browsing and email habits. Additionally users should make sure they have sufficient backups of their important/sensitive files.

Below is a list of MD5 hashes associated with this malware. Security administrators should add these IOCs to their security appliances for blocking/monitoring:

  • 5a9bd3d7f1534431a396a033d16ca496
  • 1e0812fbdaa20a2b9aaddf531daed935
  • 4c153eacdfa8807f1c8fd98e5267da4b
  • 6984a724843fb60130a965a9fc317f2d
  • 4fe313da6d94379f996c31754df8eb30
  • 64e7c95aefe82efb39185321a6cdd5c4
  • 3bee1d24189d4941f68b96da6e207be4
  • 89d6fc6c1a51cef335f7ee2bc2aa60ae
  • 473807de0d05cd6149060403ad01b658
  • 964cefae13ed6df67eceea0e887810b0
  • eedb03be0055cf942205cdbe77117750
  • 273bafedda4c7cf22b416af7296e8730
  • 8ccf7705df018250e427c13b28a93aee
  • 8a58da5184de1ab6db489ca0d79bb4f7

 

– Steven R.

Advanced Threat Cyber Security Analyst