JIGSAW Ransomware: Deleting Files Instead of Encrypting Them
Ransomware, which is malware that holds users’ data for ransom, keeps showing up in the news. In February, Hollywood Presbyterian was locked out of its electronic medical records (patient information is kind of important to running a hospital) until it forked over 40 bitcoins, worth then about 17K.
This time, it’s JIGSAW. Our colleagues at Trend Micro have uncovered a new type of ransomware written by someone who appears to be a fan of that creepy puppet from the horror movie ‘Saw’. What makes JIGSAW different from most other ransomware threats is that it will delete files, instead of just encrypting them.
JIGSAW.EXE. The Virus That Wants to Play a Game
JIGSAW deletes files exponentially, starting 60 minutes after the program starts and deleting ‘some’ files
- It deletes more files and increases the ransom every hour
- If you reboot your system or close the ransom window, JIGSAW will delete 1,000 files.
- After 72 hours it will delete all remaining files
Source: Trend Micro
JIGSAW appears to have compromised systems when users downloaded files from a free storage site as well as it being bundled with other malware.
As I (and others) have said, holding systems or entire networks hostage to extort payment will likely be a popular business model among cybercriminals. It’s a lot less work and an arguably better business model than going through the effort of harvesting valuable data and selling it on the secondary market.
Impact on you
Ransomware is a growing threat: According to the new 2016 Verizon Data Breach Report, ransomware is the second-most common form of crimeware. Cybercriminals will continue to use it to extort money from victims for its ease of use and immediate return on investment.
The FBI’s Internet Crime Complaint Center reported between April 2014 and June 2015 it had received almost 1,000 “ransomware” complaints, costing victims more than 18 million in losses.
How AlienVault Helps
The AlienVault Labs team continues to research and update the ability of USM to detect ransomware-related activity. Last week, the Labs team updated the USM platform’s ability to detect JIGSAW and several other families of ransomware by adding IDS signatures to detect the malicious traffic on your network and correlation directives to link events from across your network that indicate systems compromised by ransomware.
These ransomware updates are included in the latest AlienVault Threat Intelligence update available now:
Emerging Threat. Jigsaw Ransomware
Jigsaw is a new ransomware that not only encrypts your files but also starts deleting them if you take too long to pay the ransom. Currently the distribution method of this ransomware is unknown. This is not the first time a ransomware has threatened to delete files but it is one of the first times it has actually been carried out. The good news is that a method to decrypt the files for free has already been published.
We’ve added IDS signatures and created the following correlation rule to detect Jigsaw Ransomware:
In addition to that, we updated some correlation rules and added new IDS signatures to improve the detection of previously known ransomware families:
- System Compromise, Ransomware infection, Coverton
- System Compromise, Ransomware infection, Torrentlocker
- System Compromise, Ransomware infection, Unknown Ransomware
- System Compromise, Ransomware infection, Virus-Encoder
For more information on a wide range of ransomware families, visit the AlienVault Open Threat Exchange (OTX) to see the research the OTX community has contributed:
Jigsaw Ransomware Adds Insult to Injury
What could be worse than a ransomware infection? How about getting infected by crypto-ransomware that taunts you by slowly deleting your encrypted files while increasing the ransom demand until you pay for the decryption key? And don’t reboot your PC, or else the ransomware will delete 1,000 files at once as a reprisal.
That’s the premise behind Jigsaw, a new strain of ransomware that not only tries to increase the pressure on victims to pay, but which also references the “torture porn” horror film series “Saw.” In particular, the film’s fictional serial killer, John Kramer, is nicknamed the Jigsaw Killer, and communicates with victims using a puppet called “Billy,” which the Jigsaw ransomware author. or authors. also employ in their ransom note.
The ransomware also apes the red clock used in the movie to count down to deadlines imposed by the killer, to show victims how much time is left before more files get deleted, and the ransom demand increases. And after 72 hours, the ransomware deletes every encrypted file on the PC (see Ransomware: Is It Ever OK to Pay?).
This latest twist in ransomware appears to have been coded on March 23 and to have been used in live attacks by the end of the month, says Andy Settle, head of special investigations at Raytheon’s cybersecurity business Forcepoint. formerly known as Websense. in a blog post. “This malicious program starts encrypting your files while adding, with no irony, the ‘.FUN’ file extension,” he says. “Using horror movie images and references to cause distress in the victim is a new low.”
Other variants of the ransomware, meanwhile, copy and encrypt files using.KKK.BTC, and.GWS extensions, before deleting the originals, Jasen Sumalapao, a malware analyst at Trend Micro, says in a blog post. He adds that the ransom note exists in both English-language and Portuguese-language versions, and that the lowest possible amount that victims can pay. before the demand starts increasing. ranges from 20 to 150 in bitcoins.
No Free Lunch
Trend Micro says Jigsaw appears to be distributed via adware and “grayware”. a.k.a. “potentially unwanted applications” such as “free toolbars”. as well as via sites that host adult content. Many attacks likely begin with a “malware dropper” infection, which then downloads and installs a copy of Jigsaw being hosted on the free Cloud storage service 1fichier.com. “This service has previously hosted other malware like the information stealer Fareit, as well as Coinstealer, which gathers bitcoins,” Sumalapao says. “We already notified 1ficher about this incident and they already removed the said malicious URLs.” Other versions of Jigsaw have also been seen at the waldorftrust.com website, he adds, noting that the ransomware has likely been bundled with applications that claim to be “cryptominer” software for using PCs to generate cryptocurrency. (Hint: they’re often fake.)
Forcepoint says the Jigsaw variant that it studied was written in.NET code, which the developer attempted to obfuscate. “to prevent analysis”. and failed. As a result, security researchers have been able to recover the encryption key hardcoded into the malware, as well as 100 different bitcoin addresses to which ransoms can be paid. Settle says those addresses have now been shared with authorities (see Tougher to Use Bitcoin for Crime?).
Since the Jigsaw encryption key has been recovered, security researchers have also been able to publish instructions for removing Jigsaw infections. Of course, it’s a sure bet that Jigsaw‘s developers will soon correct their coding errors in a new version, which is precisely what happened after the developers behind TeslaCrypt fumbled their crypto last year.
“Torture Ransomware”. Commodity Twist
Jigsaw continues the age-old practice of criminals. including online attackers. employing “psychological levers” in an attempt to trick or compel victims into parting with their money.
But functionally speaking, as with banking Trojans, point-of-sale malware and now ransomware, there’s often scant difference between different malicious code families. To up the ante, attackers have in some cases begun targeting not just individual PCs, but entire enterprises, including hospitals, looking for bigger one-off ransom payments.
Taking a page from the consumer-goods industry, meanwhile, some attackers are instead focusing on branding. “These days, the name of the crypto-ransomware game is to add ‘unique’ features or ‘creative’ ways to instill fear and put more pressure to users to pay up, despite the fact that, when it comes to their technical routines, there’s not much difference among these malware,” Trend Micro’s Sumalapao says.
Enter “torture ransomware.” And the fact that we’ve gotten to the point where ransomware developers are coding horror-movie variations demonstrates not just the relative ease of creating this type of malware, but the incredible profit potential.
Beat the Odds
As always, security experts’ anti-ransomware advice remains the same, with or without attackers employing ransom notes featuring sadistic puppets named Billy:
- Maintain up-to-date backups.
- Ensure backups are stored offline, so ransomware can’t reach it via connected, network-based or Cloud-based drives.
- Regularly test backups.
- Run anti-malware software to block known strains of ransomware.
- Keep all applications and operating systems up to date.
- Don’t fear the ransomware.
For more extensive advice, see security expert Bart Blaze’s list of top-notch ransomware defenses for both individuals and organizations. In horror-movie terms: Prepare, so you don’t have to pay.
Jigsaw Ransomware: Anything But A Game
That’s the ominous (yet strangely reassuring) message users are receiving after coming across Jigsaw, the latest ransomware threat. Right, nothing to worry about here.
Jigsaw encrypts, then progressively deletes files until the ransom of 150 is paid, according to PCWorld. The ransomware deletes a single file after the first hour, then deletes more and more per hour until the 72 hour mark, when all of your remaining files are deleted.
Luckily, a decrypter has already been set up and hosted by BleepingComputer.com. According to BleepingComputer, the criminals behind this ransomware follow through on their threats, unlike some variants in the past.
By now, it probably seems like a new ransomware threat is popping up every week. California lawmakers have decided to take a stand against ransomware attacks through a proposed bill which would prosecute cyber criminals under a statute similar to extortion, according to NBC News.
So how can you protect yourself against ransomware? A proactive approach is your best bet:
- Education: Understanding ransomware is the first step. The ability to avoid ransomware hinges on recognizing and understanding the threat before it’s too late. Make sure everyone in your organization understands the threat and what they should look out for.
- Security: Antivirus software should be considered essential for any business to protect against ransomware and other risks. Ensure your security software is up to date, as well, in order to protect against newly identified threats. Keep all business applications patched and updated in order to minimize vulnerabilities.
- Backup: Modern total data protection solutions, like Datto, take snapshot-based, incremental backups as frequently as every five minutes to create a series of recovery points. If your business suffers a ransomware attack, this technology allows you to roll-back your data to a point-in-time before the corruption occurred.
As always, taking the proper precautions is the best way to protect yourself from any form of ransomware. In the event you’re attacked, the best way to avoid paying a ransom is to have a proper business continuity and disaster recovery (BCDR) solution featuring up-to-date backups. This will allow you to restore your data to a point in time before the infection, and retain your precious data. To learn more about all things ransomware, including the common types, how it is spread and how to prevent it, download our eBook: The Business Guide To Ransomware.
Stopping Advanced Threats with Datto EDR Managed SOC
Cybercriminals are getting smarter day by day and finding new ways to attack your client’s vulnerable data. Even with protection in place these criminals are still able to find a way to attack data. In fact, as many as 77% of advanced threats bypass up-to-date antivirus products. As an MSP it’s your job to make sure you have the right solutions in place to prevent these types of attacks.
Autotask Integrated Customer Billing
Eliminate hours of manual reconciliation and optimize your revenue by automatically updating Autotask contracts with each customer’s usage of Kaseya products.
Reduce the impact of crypto-ransomware with RMM Ransomware Detection
Datto RMM Product Manager, demonstrates how RMM Ransomware Detection monitors for the presence of ransomware in real time, attempts to terminate the ransomware process, and isolates infected devices from the network to prevent further spread
What is Jigsaw or”.Jigsaw” extension files on your system?
Jigsaw ransomware is an overly hyped threat that can affect your computer or virtually any organization, regardless of its size or industry. And beyond the actual ransom, there’s the collateral damage to consider, including reputation and trust. This is up to you how you are going to prevent your system from this threat.
Jigsaw Ransomware is one of the fastest-growing threats in cybersecurity. Nowadays it has been seen that many new industries are being targeted by this malicious ransomware throughout the pandemic, which includes healthcare, real estate, and law. Government and critical infrastructure are always pointed targets as well.
Don’t make the mistake of thinking that you’re too small or too big to become a victim. Nor should you be overconfident in your security posture. It can damage your system or PC and also stole important and private data from your system.
There are several things you can do to protect yourself, your devices, and your data from Jigsaw Ransomware, which you will get in this article.
This article will guide you to safely remove Jigsaw Ransomware and help with recovery.
Method Of Propagation
Jigsaw ransomware may use various distribution tactics to spread its payload. However, the main infection vector is the payload-dropper within spam email attachments. Usually, the mails are subjected to any invoice, fax, job offers, or from any higher officials of the company. Also, the situation of CONVID-19 crisis, it, may also spread spam email related to any latest information about the pandemic to trick users opening the spam emails.
So, once the user opens the infected attachment, the macro-enabled document starts automatically running the macros. This downloads the infectious files on the system and further installs them on the system.
Other than that, the malware may spread along with malicious scripts laden with payloads of the virus on compromised websites. Social media links, software cracking tools, other Trojans as well as peer-to-peer sharing are other reasons you may be infected with JigsawRansomware.
The Encryption Process
Upon successful installation, the PASS runs an encryption algorithm to lock the files with a unique key. Typically, it targets all types of documents, photos, videos, apps on the system.
As mention above, the motive behind this is to demand the ransom to be paid in order to buy the decryption key from the authors of the threat. After encryption, the files are replaced with “. Jigsaw” extension, the full pattern of the encryption is the “original filename. Jigsaw” extension.
For example, if a file named “home.jpg” would appear as “home.jpg. Jigsaw“. Thus all the files will be replaced likewise which will be no more accessible. After completing the encryption, it generates a ransom note containing the contact details of the authors along with a unique ID for the victim.
The Ransom Note
After the encryption is completed, the ransomware creates a ransom note to inform users about the encryption and how they can recover their files. The note is named “_readme.txt” which can be found in each of the folders where encryption occurred and within the desktop screen.
The Text within the Ransom Note “_readme.txt” is:
Don’t worry, you can return all your files! All your files like pictures, databases, documents, and other important are encrypted with the strongest encryption and unique key. The only method of recovering files is to purchase a decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees do you have? You can send one of your encrypted files from your PC and we decrypt it for free. But we can decrypt only 1 file for free. The file must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-EtT4dX8q3X The price of a private key and decrypt software is 980. Discount 50% available if you contact us first 72 hours, that’s the price for you is 490. Please note that you’ll never restore your data without payment. Check your e-mail “Spam” or “Junk” folder if you don’t get an answer for more than 6 hours.
To get this software you need writes on our e-mail: email@example.com
Reserve e-mail address to contact us: firstname.lastname@example.org
Here are a few points concluded from the ransom note:
- The files on the system including photos, databases, documents and are encrypted systems with unique keys;
- The victims can only recover them back by paying ransom to the authors and buying the decryption key from them;
- However, to clear the doubts, victims can send them 1 of their encrypted files that should not contain any sensitive information. The authors will decrypt it for free, after that the victims need to pay the ransom fee to get the full decryption.
- The price of the decryption fee is 980, however, they claim half the price if the victim contact within 72 hours after the encryption.
- To contact the authors, users can email at email@example.com and firstname.lastname@example.org.
How To Remove JigsawRansomware virus Without Paying Ransom
However, security experts never recommend paying the ransom, as the extortionist does not have any guarantee to provide the full-decryption key even after paying the ransom. Besides that, paying the ransom encourage such crimes and earns profit in illegal ways. Thus, you should remove the Jigsawransomware threat and try out other recovery methods given below. It is better to keep a backup of all your important files safely to fight against such threats. Before starting the removal, you should keep a copy of encrypted files along with a ransom note in a separate flash drive.
To Remove JigsawRansomware From Windows System, Follow the steps:
Method 1: Remove JigsawRansomware Virus Using Safe Mode With Networking.
In this guide, you will find removal instructions of JigsawRansomware virus both manually and using an anti-malware tool. However manual removal of ransomware threats is nearly impossible, so it is better to run a scan with anti-ransomware/malware to remove the virus.
Not all anti-malware is capable to detect and remove ransomware threats, so it is better to opt for tools that have anti-ransomware features. As they keep their database updated with the latest ransomware threats and their behavior. So, when you run the scan they analyze the behavior of infectious files to remove it.
So, we recommend HitmanPro.Alert, Avira, ESET and Ransomware defender. you can choose as per your choice.
Some detections by AV vendors: Check out the full detections
TR/AD.InstaBot.nyavj as detected by Avira
A Variant Of Win32/Kryptik.HIIS as detected by ESET
Trojan.TR/AD.InstaBot.nyavj as detected by F-Secure
Mal/Generic-S as detected as Sophos (HitmanPro)
At times, virus does not allow the installation or scanning of anti-virus program, so you need to switch to “safe mode with networking”. After that you can try recovery of your data if you have any backup or we have listed some methods which may help you to recover some of your data.
For Windows XP and 7:
- Click on the “ Start menu“. then on click the arrow next to “ Shut Down.” Select Restart. (Just as you normally Restart your PC).
- Once the computer screen is powered on, immediately start tapping “ F8 ” key till you see “ Advanced Boot Options ” screen. if you don’t enter to the boot screen, then restart the process again and press F8 while the PC is restarting.
- Here, you need to choose “Safe Mode with Networking“ option and press “ enter ” key to troubleshooting Windows. As later on, you need to access the internet.
Safe Mode With Networking
NOTE: To get back to your normal Windows configuration, you need to repeat steps 1-3 and select Start Windows Normally.
For Windows 8/8.1:
Choose Advanced Options
Choose Start Up Settings
Click Restart To Enable Safe Mode
Windows 10 Safe Mode With Networking
NOTE: To get back to normal Windows configuration you need to Click Start – Power and then click Restart.
Now, you need to search for files related to JigsawRansomware and delete them. However, manually finding and deleting them is impossible. And it may also affect your other files. Also, such threats are cleverly to hide many files that make removal a tricky process. Therefore, the safest way to get rid of such malware is to use a reliable ransomware malware removal program. So, we recommend HitmanPro.Alert that comes with anti-ransomware detection.
HitmanPro.Alert is an advanced anti-malware program along with anti-ransomware features. That helps to detect the encrypted files and the presence of any ransomware threats. Running HitmanPro.Alert on your computer will provide your real-time status, checks the browser integrity, and alerts or to any suspicious activity. So that you can have safe browsing and online transactions. Read the full review of HitmanPro.Alert here.
Steps To Install And Run HitmanPro.Alert
- Choose Protection level as Maximum
- And tick the other boxes and finally click on “Install”.
- HitmanPro.Alert only takes 5MB of your memory and is very quick to install.
AV Threat Detection
JIGSAW RANSOMWARE!?!. Virus Investigations 13
AV Threat Removal
So, by performing the above steps, you can get rid of JigsawRansomware.
Method 2: Remove JigsawRansomware virus using System Restore Procedure
Another method is a manual way to get rid of Ransomware which is through System Restore. If you don’t know much about this process, then read here. Click here to perform System Restore in Windows OS.
Safe Mode with Command Prompt (Follow the above steps and choose Safe Mode with Command Prompt option from boot settings
To Reboot your computer to “Safe Mode with Command Prompt”
Windows 7 / Vista / XP
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart.
- Now select Troubleshoot – Advanced options – Startup Settings and finally press Restart.
- Once your computer becomes active, select “Enable Safe Mode with Command Prompt” in Startup Settings window.
- Click Start –Restart –OK.
- When your computer becomes active, start pressing “F8″ multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
To Restore your system to default settings as it was prior to the attack of JigsawRansomware
System Restore 1
Restore System files Settings
Restore System choose Date
Once the system restore to your selected date is done, then you need to restart your computer normally.
You should Download effective anti-virus program and scan your computer to ensure successful removal of any threat.
As a protection to your computer against Ransomware threat, we recommend Ransomware Defender, that is a dedicated tool to prevent ransomware attacks.
Ransomware Defender- A Comprehensive Protection Against Ransomware Threats
This tool specifically designed to detect and block most of the ransomware threats prior to it makes any changes to the system. It not only blocks the threats, but also stops it completely with its pro-active mechanism.
Once installed, the Ransomware Defender will automatically Scan Detect Lock Down any malicious entry to the system. What we like about this tool, it works along with the primary antivirus programs without interrupting it. Read Full Review and Installation Guide
How to Restore the Encrypted Files by JigsawRansomware?
Here is a separate article that guides users of various methods to recover their encrypted files. However, the ransomware makes sure the files may not be unlocked by other tools, but you should try them out.
While you can search for online decryptor tools to check if the decryption of available. These are mostly free service provided by the experts after analyzing and cracking the encryption.
After you have successfully removed the Jigsaw ransomware. It is important to start backing up your important files to stay secured against ransomware threats. This is a most recommended thing to do.
We recommend- EaseUS Todo Backup is a leading Cloud solution. It protects your system and data from ransomware and makes file recovery easy in case of a ransomware attack.
- Uses automatic and custom backup options. You can either select specific files, folders, directories and even create a clone of entire Drive.
- It compresses file images to save space, and encrypt the files to prevent it from Ransomware/malware attacks.
- Uses Smart backup, which keeps on checking for any updates every half an hour. And does a full-backup of every 7 day.
- For instant backup of any file, just select files/folders– right-click in Window Explorer and add to Smart Backup.
- Allows access of data anytime, anywhere.
It’s worth trying the product when it comes to protecting privacy.