A new ransomware has been released that not only encrypts your files, but also deletes them if you take too long to make the ransom payment of $150 USD.  The Jigsaw Ransomware, named after the iconic character that appears in the ransom note, will delete files every hour and each time the infection starts until you pay the ransom.  At this time is currently unknown how this ransomware is distributed.

This is the first time that we have seen these types of threats actually being carried out by a ransomware infection. The good news is that a method has been discovered that allows victims to decrypt their files for free.

The Jigsaw Ransomware
The Jigsaw Ransomware

Jigsaw Ransomware is serious about its threats...

It is not the first time that we have seen ransomware threaten to delete files, but this is the first time that one has actually carried out its threats.  The Jigsaw Ransomware deletes files every 60 minutes and when the program is restarted.

Every hour,  the Jigsaw Ransomware will delete a file on your computer and increment a counter. Over time this counter will cause more than one file to be deleted every hour.

More destructive, though, is the amount of files that are deleted every time the ransomware starts. After the initial infection, when the ransomware it restarted, whether that be from a reboot or terminating the process, Jigsaw will delete a thousand, yes a thousand, files from the victim's computer.

This process is very destructive and obviously being used to pressure the victim into paying the ransom.

How to decrypt and remove the Jigsaw Ransomware

Thankfully, through the analysis of MalwareHunterTeam​, DemonSlay335​, and myself it was discovered that it is possible to decrypt this ransomware for free.  Using this information, Demonslay335 has released a decryptor that can decrypt files encrypted by the Jigsaw Ransomware.  To decrypt your files, the first thing that you should do is terminate the firefox.exe and drpbx.exe processes in Task Manager to prevent any further files from being deleted.  You should then run MSConfig and disable the startup entry called firefox.exe that points to the %UserProfile%\AppData\Roaming\Frfx\firefox.exe executable.

Once you have terminated the ransomware and disabled its startup, let's proceed with decrypting the files.  The first step is to download and extract the Jigsaw Decryptor from the following URL:

https://www.bleepingcomputer.com/download/jigsaw-decrypter/

Then double-click on the JigSawDecrypter.exe file to launch the program.  When the program launches you will be greeted with a screen similar to the one below.

Jigsaw Decrypter
Jigsaw Decrypter

To decrypt your files simply select the directory and click on the Decrypt My Files button. If you wish to decrypt the whole drive, then you can select the C: drive itself.  It is advised that you do not put a checkmark in the Delete Encrypted Files option until you have confirmed that the tool can properly decrypt your files.

When it has finished decrypting your files, the screen will appear as below.

Decryption Finished
Decryption Finished

Now that your files are decrypted, I suggest that you run an antivirus or anti-malware program to scan your computer for infections.

Is this ransomware just a game for the devs?

After MalwareHunterTeam analyzed further variants of the Jigsaw Ransomware, he brought up an interesting point. Do "They even care about the money or just want to play with people?"  When analyzing the variants, it has been shown that they are coded to only execute after a certain date. For example, the Portuguese variant is hard coded to only run after April 6th 2016, while another was set to go off on March 23, 2016.

There is also a wide range of ransom prices being offered, with prices ranging from $20 to 200 USD.  Are these people motivated by money or is this just one big game to them?

Jigsaw Ransomware Technical Details

When the Jigsaw ransomware is launched it will scan your drives for certain file extension, encrypt them using AES encryption, and append a .FUN, .KKK,  .GWS, or, .BTC extension to the filename depending on the version. The files targeted by the Jigsaw ransomware are:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp , .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .Qbw, .QBB, .QBM, .QBI, .QBR  , .Cnt, .Des, .v30, .Qbo, .Ini, .Lgb, .Qwc, .Qbp, .Aif, .Qba, .Tlg, .Qbx, .Qby  , .1pa, .Qpd, .Txt, .Set, .Iif  , .Nd, .Rtp, .Tlg, .Wav, .Qsm, .Qss, .Qst, .Fx0, .Fx1, .Mx0, .FPx, .Fxr, .Fim, .ptb, .Ai, .Pfb, .Cgn, .Vsd, .Cdr, .Cmx, .Cpt, .Csl, .Cur, .Des, .Dsf, .Ds4, , .Drw, .Dwg.Eps, .Ps, .Prn, .Gif, .Pcd, .Pct, .Pcx, .Plt, .Rif, .Svg, .Swf, .Tga, .Tiff, .Psp, .Ttf, .Wpd, .Wpg, .Wi, .Raw, .Wmf, .Txt, .Cal, .Cpx, .Shw, .Clk, .Cdx, .Cdt, .Fpx, .Fmv, .Img, .Gem, .Xcf, .Pic, .Mac, .Met, .PP4, .Pp5, .Ppf, .Xls, .Xlsx, .Xlsm, .Ppt, .Nap, .Pat, .Ps, .Prn, .Sct, .Vsd, .wk3, .wk4, .XPM, .zip, .rar

When encrypting a file it will add the filename to a list of encrypted files located at %UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt. It will also assign a bitcoin address and save it in the %UserProfile%\AppData\Roaming\System32Work\Address.txt file.

Finally, Jigsaw will set an autorun that starts ransomware each time you login to Windows. Unfortunately, each time the ransomware starts, it will also delete 1,000 of the encrypted files.

Ransom Note
Ransom Note

In the ransom note there is a 60 minute timer that counts down to 0. When it reaches 0 it will delete a certain amount of files depending on how many times the counter has reset. Each time it resets, a counter will increase, which will cause more files to be deleted on the next reset.

The text of the ransom notes we have seen are listed below.  A big thanks to MalwareHunterTeam for keeping track of these.

Your computer files have been encrypted. Your photos, videos, documents, etc....
But, don't worry! I have not deleted them, yet.
You have 24 hours to pay 150 USD in Bitcoins to get the decryption key.
Every hour files will be deleted. Increasing in amount every time.
After 72 hours all that are left will be deleted.
If you do not have bitcoins Google the website localbitcoins.
Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.
Send to the Bitcoins address specified.
Within two minutes of receiving your payment your computer will receive the decryption key and return to normal.
Try anything funny and the computer has several safety measures to delete your files.
As soon as the payment is received the crypted files will be returned to normal.
       Thank you

and

I want to play a game with you. Let me explain the rules:
All your files are being deleted. Your photos, videos, documents, etc...
But, don't worry! It will only happen if you don't comply.
However I've already encrypted your personal files, so you cannot access them.
Every hour I select some of them to delete permanently,
therefore I won't be able to access them, either.
Are you familiar with the concept of exponential growth? Let me help you out.
It starts out slowly then increases rapidly.
During the first 24 hour you will only lose a few files,
the second day a few hundred, the third day a few thousand, and so on.
If you turn off your computer or try to close me, when I start next time
you will get 1000 files deleted as a punishment.
Yes you will want me to start next time, since I am the only one that
is capable to decrypt your personal data for you.
       Now, let's start and enjoy our little game together!  

and one in  Portuguese:

Eu quero jogar um jogo. Deixe-me explicar as regras:
Todos os seus arquivos serao deletados. Fotos, vídeos, documentos, etc.
Mas nao se preocupe! Só vai acontecer se voce nao cooperar.
Porém, eu já encriptei seus arquivos, entao voce nao consegue mais acessá-los.
A cada hora eu seleciono algum deles para ser excluído permanentemente,
Voce conhece o conceito de crescimento exponencial? Funciona assim:
Começa devagar e acelera depressa
Nas primeiras 24h voce só perderá alguns arquivos
No segundo dia, algumas centenas, no teceiro, milhares, e assim vai
Se voce desligar seu computador ou tentar me fechar
1.000 (MIL) arquivos serao deletados como puniçao
E voce vai querer que eu continue aqui, 
já que sou o único que pode devolver seus arquivos
             Agora, vamos jogar!
Envie 50 dólares (aproximadamente R$200) em bitcoins para o endereço abaixo 
(Se voce nao sabe comprar e enviar bitcoins, procure no Google. É fácil)
 

When a victim sends a ransom payment, they can click on the check payment button. When this button is clicked, the ransomware queries the http://btc.blockr.io/ site to see if a payment has been made to the assigned bitcoin address. If the amount of bitcoins in the assigned address is greater than the payment amount, then it will automatically decrypt the files.


Update (4/12/16): Included the .KKK and .BTC extension for other variants that were discovered.
Update (4/13/16): Included the new .GWS extension, how some variants are set to start at certain times, varying prices, and the new ransom note texts.


Files associated with the Jigsaw Ransomware

%UserProfile%\AppData\Roaming\Frfx\
%UserProfile%\AppData\Roaming\Frfx\firefox.exe
%UserProfile%\AppData\Local\Drpbx\
%UserProfile%\AppData\Local\Drpbx\drpbx.exe
%UserProfile%\AppData\Roaming\System32Work\
%UserProfile%\AppData\Roaming\System32Work\Address.txt
%UserProfile%\AppData\Roaming\System32Work\dr
%UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt

Registry entries associated with the Jigsaw Ransomware

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe	%UserProfile%\AppData\Roaming\Frfx\firefox.exe

 

Related Articles:

The Week in Ransomware - March 2nd 2018 - GandCrab Decrypted, RaaS, and More

The Week in Ransomware - April 20th 2018 - Reveton Charges, GandCrab, and More

The Week in Ransomware - April 6th 2018 - Office 365 File Restore & Decryptors

LockCrypt Ransomware Cracked Due to Bad Crypto

Decrypters for Some Versions of Magniber Ransomware Released