ALERT: Jigsaw Sinks to New Low…Even for Ransomware
Being infected by ransomware is bad enough. Add in being taunted by old horror movie pictures while it slowly deletes your encrypted files, all while increasing the ransom demand, until you pay for the decryption key. And if you reboot your PC, you’re punished with the instant deletion of 1,000 of your files.
Jigsaw, a new strain of ransomware tries to increase the pressure on victims to pay, by referencing the horror movie “Saw”. In fact, the ransomware is named after the film’s fictional serial killer John Kramer’s nickname the “Jigsaw Killer”. The ransomware, still drawing motivation from the horror movie, communicates with victims using a puppet called “Billy”, and uses the red clock to count down to deadlines imposed, which are both used by the killer in the movie. However, in the case of the ransomware, the clock shows victims how much time is left before more files get deleted, and the ransom demand increases. After 72 hours, the ransomware deletes every encrypted file on the PC.
How the ransomware attack unfolds, as seen on an infected PC. (Source: Forcepoint.)
This latest version, in a long list of versions, “appears to have been coded on March 23 and to have been used in live attacks by the end of the month” states Andy Settle, head of special investigations at Ryatheon’s cybersecurity business Forcepoint. “This malicious program starts encrypting your files while adding, with no irony, the ‘.FUN’ file extention.”
“Using horror movie images and references to cause distress in the victim is a new low.”
Jason Sumalapao, malware analyst at Trend Micro, states in a blog post that the ransom note exists in both English and Portutuese-language versions, and that the lowest possible amount that victims can pay, before the demand starts increasing, ranges from $20 to $150 USD in bitcoins.
Jigsaw appears to be distributed through adware and “grayware” (potentially unwanted applications, such as free toolbars), as well as through ‘adult content’ sites, reports Trend Micro.
Forcepoint states that the producers of Jigsaw attempted to prevent detection by writing the ransomware in ‘.NET’ code. However, this attempt failed, and security researchers have been able to recover the encryption key, as well as 100 different bitcoin payment addresses. This information has since been shared with authorities. Since the encryption key was discovered, security researchers have been able to publish instructions on how to remove Jigsaw infections. However, it’s probably not long before Jigsaw producers correct their coding error that lead to the discovery of the decryption key.
How to Avoid Jigsaw and Other Ransomware:
- Backups. Backups. Backups. Maintain current, and reliable backups of all pertinent files.
- AntiMalware Software. Regularly run AntiMalware software to block known strains of ransomware.
- Update. Update. Update. Keep all hardware, software, and Operating Systems up-to-date.
- Educate. Educate. Educate. Keep all employees and coworkers informed about current security threats, and what to look for. Check out our ‘Red Flag Emails‘ for tips on what to look for in scam emails.
- Install Ad Blockers When Possible. uBlock Origin is a great ad blocker for Chrome and other browsers.
- Block Extensions via Email. A good spam blocker will usually handle this for you.