EXCLUSIVE: Saw-movie themed ransomware may be stealing data & deleting files from your system

If the user reboots or terminates the ransomware's processes, it will automatically relaunch and delete 1,000 files from the system

At this point, when the hackers are eagerly searching for their next target, a new report revealed that cybersecurity researchers found a way to decrypt the Saw-movie themed ransomware which not only encrypts files, also deletes them on a countdown basis from users system.

The name, Jigsaw, derived from the concept of Saw movie franchise that features victims held hostage, given gruesome escape tools and suffer dire consequences when puzzles are not solved within a time limit. The ransomware, which was created in 2016 mimics this premise.

Jigsaw ransomware
Jigsaw ransomware Emsisoft

The Jigsaw ransomware

The ransomware posed as a Firefox or Dropbox update and the GUI featured the image of the character "Billy the Puppet" from the movie Saw. It encrypts victims' files with AES-128 and appends one of many extensions, including ".fun" and ".game". A fake error message is displayed to mislead the victim to thinking the ransomware did not run.

Michael Gillespie, a researcher at Emsisoft told IBTimes Singapore that this ransomware, Jigsaw is "particularly nasty as it's one of only very types of ransomware to actually delete the data it encrypts. On a positive note, it's rudimentary in design, the deletion process can be halted and the encryption is very easy to break."

How does this ransomware work?

As per the Emsisoft researchers, Jigsaw ransomware is capable of deleting a single file an hour after the data has been encrypted and exponentially increases the number of deleted files every hour thereafter.

After 72 hours, all remaining files are deleted from the victim's system. If the user reboots or terminates the ransomware's processes, it will automatically relaunch and delete 1,000 files "as a punishment," mentioned the cybersecurity researchers.

After the launch of this ransomware, it was sold on a Tor marketplace. However, it has now been open-sourced which has enabled people to create multiple variants that the original tool could not decrypt. As per Emsisoft, the new tool can currently unlock 85 extensions and will be updated as new variants emerge.

Jigsaw decryptor by Emsisoft

As mentioned by the company, users need to run the decryptor while online and the decryption process will start. First, the user should open the Task Manager, then in the Processes tab, the user has to select firefox.exe and drpbx.exe and click "End Task."

Once it is done, the user should open MSConfig and then in the Startup tab, the user has to deselect the startup item firefox.exe that points to %UserProfile%AppDataRoamingFrfxfirefox.exe and click OK. After following all these steps the user can proceed to run the decryptor.

Jigsaw decryptor
Jigsaw decryptor Emsisoft
Related topics : Ransomware Cybersecurity