Jigsaw Ransomware

“Jigsaw“ does not only encrypt your files – they will be deleted

Ransomware “Jigsaw”, named after the movie character shown in the ransom note, just wants to play! As usual, the ransomware plays with the users data, the stake is 0,4 Bitcoins or 150 $. When it comes to the rules of the game, “Jigsaw” is setting new standards.

Starting with the good news: It is possible to decrypt the files that have been encrypted by “Jigsaw” for free. So, it is not necessary to pay the ransom. But it is definitely necessary to react quickly: “Jigsaw” does not only encrypt your data, but threatens to delete the files unrecoverable, unless the ransom is payed (fast enough): Every hour files will be deleted, starting with one, then increasing in amount, and after 72 hours everything that is left. By the way, rebooting the computer (or program) will cost you 1.000 files – you’d better not play with that.

Stop the game: decrypt data and remove malware

Together with analysts of MalwareHunterTeam und DemonSlay335, has developed a JigSaw Decryptor (Download). But first, the processes Prozesse firefox.exe and drpbx.exe should be terminated to prevent or stop the deleting of files (because they really can’t be restored). Then, you should use the MSConfig to disable the startup entry firefox.exe that points to the %UserProfile%\AppData\Roaming\Frfx\firefox.exe executable, so the program can’t restart.

By now, we have no details about how the malware is distributed. SPAM e-mails are a popular and cost-effective way of spreading malicious software. The malicious codes are no longer packed as suspicious attachments. Today even office files or PDFs are vulnerable. The latest ransomware generations are directly embedded into the JavaScript code in the e-mail, which is much more difficult to detect. Often, they only act as a dropper, in order to install the actual malware. Therefore, we recommend to take care and to be aware of the risks.

Security recommendations:

  • Install and update the anti-virus software, SPAM  filter, firewall and IPS as often as possible;
  • Configure SPAM and virus filter so they can block JavaScript content by non-confidential sources;
  • When possible, disable the Auto Run in JavaScript (directly in the SPAM-Filter, on the mail server or in the email program);
  • In doubt, delete e-mails with links or attachments by unknown senders as well as unexpected emails;
  • Keep your operating system, Webbrowsers, Java, Flash updated;
  • Prevent the AppData and Startup directories from running unknown executables;
  • Disable macros or use only the properly signed ones;
  • Inform yourself and your employees about current threats;
  • Keep your backup media disconnected from your PC/network.
© 2019 IKARUS Security Software GmbH