Jigsaw Ransomware
Posted: April 12, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Ranking: | 4,859 |
|---|---|
| Threat Level: | 10/10 |
| Infected PCs: | 10,968 |
| First Seen: | April 12, 2016 |
|---|---|
| Last Seen: | October 16, 2023 |
| OS(es) Affected: | Windows |
The Jigsaw Ransomware is a file encryptor that encrypts and deletes files until the victim pays a ransom through its included pop-up interface. Due to the availability of free decryptors, no ransom payments should be required for restoring the data that's modified by the Jigsaw Ransomware. However, the Jigsaw Ransomware will continue to delete digital content periodically, although one of its versions doesn't deliver any of the data-locking or erasing features, which makes paying its ransom especially frivolous. Removing the Jigsaw Ransomware with anti-malware tools as soon as possible is essential for accomplishing full data recovery.
The Jigsaw Ransomware: the Trojan Sawing Through Your Files
A favorite threat amongst ransom-based threats is to warn that refusing to pay their fee will result in incurred hardware damage, digital content deletion, or the destruction of the key required to access your files. In almost all cases, these threats are bluffs without any corresponding function. However, at least one threat author has seen fit to follow through on his threats dramatically, via the Jigsaw Ransomware. Updated versions of the Jigsaw Ransomware so far seem to be disguising themselves as installers or updates for the Chrome Web browser, which could circulate via torrents or compromised websites. Exploits more liable than most for installing the Jigsaw Ransomware and its variants include website-based attacks that use JavaScript, Flash, or similar content platforms to deliver drive-by-downloads with automatic installation processes. Disabling these advanced features while browsing any sites you don't trust implicitly and having monitoring anti-malware programs able to detect such threats can prevent your PC from becoming infected. Once compromised, malware experts recommend using a non-compromised device to boot your PC into Safe Mode, which will help you remove the Jigsaw Ransomware without its pop-up blocking the appropriate security software.
As a form of file encryptor, the Jigsaw Ransomware follows the standards laid out by previous Trojans.The Jigsaw Ransomware scans for files, isolating ones of work or entertainment media formats such as GIF, DOC, or WAV. An AES encryption sequence blocks the users from opening their files while the addition of a new extension tag ('.fun') highlights them for identification. Then the Jigsaw Ransomware loads a pop-up, including a ransom demand and an embedded decryptor UI. After the victim makes a Bitcoin payment of roughly 160 USD to the provided address, the Jigsaw Ransomware verifies the transaction and runs the decryption function, returning all data to its previous state. However, the Jigsaw Ransomware is using an invalid Bitcoin address that makes any attempted ransom transactions fail currently.
However, the Jigsaw Ransomware also may include an active data-deleting function. This aspect of the payload operates on an hourly timer, but also loads automatically, whenever the Jigsaw Ransomware starts. Since the Jigsaw Ransomware starts every time the PC's operating system boots up, each restart costs the victim one thousand files' worth of data.
Solving a Threat Puzzle on a Tight Timer
The Jigsaw Ransomware gets its name from the Saw movie-themed imagery in its ransom demand. Like the death traps of that movie series, the Jigsaw Ransomware places its victims on a strict schedule to respond before receiving irreparable damage. However, the Jigsaw Ransomware also has more solutions than its cinematic universe equivalent. Security researchers already have developed a free decryptor that can restore your content, once the Jigsaw Ransomware is shut down and removed.
Because of the strict behavioral considerations with the Jigsaw Ransomware, malware researchers recommend disabling this threat before taking any other steps. You should terminate all corrupted 'firefox.exe' and 'drpbx.exe' memory processes through your Task Manager application, which will halt the ongoing timer and data deletion process. Then, you can delete the Jigsaw Ransomware with your preferred anti-malware product.
PC users without any interest in going through a potentially lengthy decryption process should, instead, consider alternative forms of data protection, such as remote backup resources. While the Jigsaw Ransomware is only the first kind of file encryptor with a confirmed ability to follow through on its threats, if its campaign proves profitable, some similar threat also may follow in its footsteps.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:file.exe
File name: file.exeSize: 163.84 KB (163840 bytes)
MD5: 163811311d2ed56d0ac56cb1ad158a26
Detection count: 74
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 1, 2017
file.exe
File name: file.exeSize: 252.42 KB (252421 bytes)
MD5: e62917bbe39c6363005881fa8f9c4af8
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 16, 2017
file.exe
File name: file.exeSize: 55.29 KB (55296 bytes)
MD5: cd38cdcb4beafe23d450ace1d1179d92
Detection count: 36
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%SYSTEMDRIVE%\Users\<username>\appdata\local\drpbx\drpbx.exe
File name: drpbx.exeSize: 2.07 MB (2079744 bytes)
MD5: 3cad3391255a1142c5f0724fcf8cca35
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\local\drpbx
Group: Malware file
Last Updated: November 23, 2018
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\frfx\firefox.exe
File name: firefox.exeSize: 272.38 KB (272384 bytes)
MD5: 6c92e26b1c25a7a453fe61ca9c0d07f1
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\frfx
Group: Malware file
Last Updated: November 23, 2018
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\frfx\firefox.exe
File name: firefox.exeSize: 269.31 KB (269312 bytes)
MD5: 33fcc8abbc885083646a4079903971bb
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\frfx
Group: Malware file
Last Updated: November 23, 2018
Registry Modifications
Regexp file mask%LOCALAPPDATA%\Drpbx\drpbx.exe
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.