Jump to content
romanul

Jigsaw Ransomware VIRUS.

Recommended Posts

A new ransomware has been released that not only encrypts your files, but also deletes them if you take too long to make the ransom payment of $150 USD.  The Jigsaw Ransomware, named after the iconic character that appears in the ransom note, will delete files every hour and each time the infection starts until you pay the ransom.  At this time is currently unknown how this ransomware is distributed.

This is the first time that we have seen these types of threats actually being carried out by a ransomware infection. The good news is that a method has been discovered that allows victims to decrypt their files for free.

 

 jigsaw-ransomware.gif 

 

How to decrypt and remove the Jigsaw Ransomware
Thankfully, through the analysis of MalwareHunterTeam, DemonSlay335, and myself it was discovered that it is possible to decrypt this ransomware for free.  Using this information, Demonslay335 has released a decryptor that can decrypt files encrypted by the Jigsaw Ransomware.  To decrypt your files, the first thing that you should do is terminate the firefox.exe and drpbx.exe processes in Task Manager to prevent any further files from being deleted.  You should then run MSConfig and disable the startup entry called firefox.exe that points to the %UserProfile%\AppData\Roaming\Frfx\firefox.exe executable.

Once you have terminated the ransomware and disabled its startup, let's proceed with decrypting the files.  The first step is to download and extract the Jigsaw Decryptor from the following URL:

https://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip

Then double-click on the JigSawDecrypter.exe file to launch the program.  When the program launches you will be greeted with a screen similar to the one below.

 

 

Jigsaw Ransomware Technical Details
When the Jigsaw ransomware is launched it will scan your drives for certain file extension, encrypt them using AES encryption, and append a .FUN, .KKK,  .GWS, or, .BTC extension to the filename depending on the version. The files targeted by the Jigsaw ransomware are:

 

<code> .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp , .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .Qbw, .QBB, .QBM, .QBI, .QBR  , .Cnt, .Des, .v30, .Qbo, .Ini, .Lgb, .Qwc, .Qbp, .Aif, .Qba, .Tlg, .Qbx, .Qby  , .1pa, .Qpd, .Txt, .Set, .Iif  , .Nd, .Rtp, .Tlg, .Wav, .Qsm, .Qss, .Qst, .Fx0, .Fx1, .Mx0, .FPx, .Fxr, .Fim, .ptb, .Ai, .Pfb, .Cgn, .Vsd, .Cdr, .Cmx, .Cpt, .Csl, .Cur, .Des, .Dsf, .Ds4, , .Drw, .Dwg.Eps, .Ps, .Prn, .Gif, .Pcd, .Pct, .Pcx, .Plt, .Rif, .Svg, .Swf, .Tga, .Tiff, .Psp, .Ttf, .Wpd, .Wpg, .Wi, .Raw, .Wmf, .Txt, .Cal, .Cpx, .Shw, .Clk, .Cdx, .Cdt, .Fpx, .Fmv, .Img, .Gem, .Xcf, .Pic, .Mac, .Met, .PP4, .Pp5, .Ppf, .Xls, .Xlsx, .Xlsm, .Ppt, .Nap, .Pat, .Ps, .Prn, .Sct, .Vsd, .wk3, .wk4, .XPM, .zip, .rar </code>

 

 

VIDEO: 

 

 

 

Din ce am citit, in fiecare ora sterge cate un fisier din server, la fiecare restart sterge 1000 fisiere. 

Edited by romanul
Link to comment
Share on other sites

56 minutes ago, Byte-ul said:

Cred ca e facut in .NET :)) (iconita formei pare aceeasi cu iconita default la .net)

Sa ii fut in gura. Sunt dovezi clare sa crezi ca virusul e facut la misto de ceva firma/security manager doar sa isi promoveze produsele.

E un "malware" destul de prost si ma mir ca asa ceva ar ajunge in etapa de mass deployment.

Daca vor 150$ pe fisiere ar fi implementat metode de securitate mult mai bune si ar fi lucrat mai mult la cod.

Azi tot mai multe firme creeaza cryptolockere si dupa isi vand sau promoveaza metodele private de "decriptare".

Nu e asa de greu de facut un crypto-locker bun, sunt tone de exemple de cod.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...