romanul Posted April 15, 2016 Report Posted April 15, 2016 (edited) A new ransomware has been released that not only encrypts your files, but also deletes them if you take too long to make the ransom payment of $150 USD. The Jigsaw Ransomware, named after the iconic character that appears in the ransom note, will delete files every hour and each time the infection starts until you pay the ransom. At this time is currently unknown how this ransomware is distributed. This is the first time that we have seen these types of threats actually being carried out by a ransomware infection. The good news is that a method has been discovered that allows victims to decrypt their files for free. How to decrypt and remove the Jigsaw Ransomware Thankfully, through the analysis of MalwareHunterTeam, DemonSlay335, and myself it was discovered that it is possible to decrypt this ransomware for free. Using this information, Demonslay335 has released a decryptor that can decrypt files encrypted by the Jigsaw Ransomware. To decrypt your files, the first thing that you should do is terminate the firefox.exe and drpbx.exe processes in Task Manager to prevent any further files from being deleted. You should then run MSConfig and disable the startup entry called firefox.exe that points to the %UserProfile%\AppData\Roaming\Frfx\firefox.exe executable. Once you have terminated the ransomware and disabled its startup, let's proceed with decrypting the files. The first step is to download and extract the Jigsaw Decryptor from the following URL: https://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip Then double-click on the JigSawDecrypter.exe file to launch the program. When the program launches you will be greeted with a screen similar to the one below. Jigsaw Ransomware Technical Details When the Jigsaw ransomware is launched it will scan your drives for certain file extension, encrypt them using AES encryption, and append a .FUN, .KKK, .GWS, or, .BTC extension to the filename depending on the version. The files targeted by the Jigsaw ransomware are: <code> .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp , .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .Qbw, .QBB, .QBM, .QBI, .QBR , .Cnt, .Des, .v30, .Qbo, .Ini, .Lgb, .Qwc, .Qbp, .Aif, .Qba, .Tlg, .Qbx, .Qby , .1pa, .Qpd, .Txt, .Set, .Iif , .Nd, .Rtp, .Tlg, .Wav, .Qsm, .Qss, .Qst, .Fx0, .Fx1, .Mx0, .FPx, .Fxr, .Fim, .ptb, .Ai, .Pfb, .Cgn, .Vsd, .Cdr, .Cmx, .Cpt, .Csl, .Cur, .Des, .Dsf, .Ds4, , .Drw, .Dwg.Eps, .Ps, .Prn, .Gif, .Pcd, .Pct, .Pcx, .Plt, .Rif, .Svg, .Swf, .Tga, .Tiff, .Psp, .Ttf, .Wpd, .Wpg, .Wi, .Raw, .Wmf, .Txt, .Cal, .Cpx, .Shw, .Clk, .Cdx, .Cdt, .Fpx, .Fmv, .Img, .Gem, .Xcf, .Pic, .Mac, .Met, .PP4, .Pp5, .Ppf, .Xls, .Xlsx, .Xlsm, .Ppt, .Nap, .Pat, .Ps, .Prn, .Sct, .Vsd, .wk3, .wk4, .XPM, .zip, .rar </code> VIDEO: Din ce am citit, in fiecare ora sterge cate un fisier din server, la fiecare restart sterge 1000 fisiere. Edited April 15, 2016 by romanul Quote
Byte-ul Posted April 15, 2016 Report Posted April 15, 2016 (edited) Cred ca e facut in .NET (iconita formei pare aceeasi cu iconita default la .net) Edited April 15, 2016 by Byte-ul 2 Quote
yoyois Posted April 15, 2016 Report Posted April 15, 2016 56 minutes ago, Byte-ul said: Cred ca e facut in .NET (iconita formei pare aceeasi cu iconita default la .net) Sa ii fut in gura. Sunt dovezi clare sa crezi ca virusul e facut la misto de ceva firma/security manager doar sa isi promoveze produsele. E un "malware" destul de prost si ma mir ca asa ceva ar ajunge in etapa de mass deployment. Daca vor 150$ pe fisiere ar fi implementat metode de securitate mult mai bune si ar fi lucrat mai mult la cod. Azi tot mai multe firme creeaza cryptolockere si dupa isi vand sau promoveaza metodele private de "decriptare". Nu e asa de greu de facut un crypto-locker bun, sunt tone de exemple de cod. Quote
ikswaydzii Posted January 31, 2017 Report Posted January 31, 2017 On 4/16/2016 at 0:49 AM, romanul said: Demonslay335 whats the pass? Quote
