Jigsaw Ransomware

Posted: April 12, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	6,102
Threat Level:	10/10
Infected PCs:	11,493

First Seen:	April 12, 2016
Last Seen:	February 26, 2025
OS(es) Affected:	Windows

The Jigsaw Ransomware is a file encryptor that encrypts and deletes files until the victim pays a ransom through its included pop-up interface. Due to the availability of free decryptors, no ransom payments should be required for restoring the data that's modified by the Jigsaw Ransomware. However, the Jigsaw Ransomware will continue to delete digital content periodically, although one of its versions doesn't deliver any of the data-locking or erasing features, which makes paying its ransom especially frivolous. Removing the Jigsaw Ransomware with anti-malware tools as soon as possible is essential for accomplishing full data recovery.

The Jigsaw Ransomware: the Trojan Sawing Through Your Files

A favorite threat amongst ransom-based threats is to warn that refusing to pay their fee will result in incurred hardware damage, digital content deletion, or the destruction of the key required to access your files. In almost all cases, these threats are bluffs without any corresponding function. However, at least one threat author has seen fit to follow through on his threats dramatically, via the Jigsaw Ransomware. Updated versions of the Jigsaw Ransomware so far seem to be disguising themselves as installers or updates for the Chrome Web browser, which could circulate via torrents or compromised websites. Exploits more liable than most for installing the Jigsaw Ransomware and its variants include website-based attacks that use JavaScript, Flash, or similar content platforms to deliver drive-by-downloads with automatic installation processes. Disabling these advanced features while browsing any sites you don't trust implicitly and having monitoring anti-malware programs able to detect such threats can prevent your PC from becoming infected. Once compromised, malware experts recommend using a non-compromised device to boot your PC into Safe Mode, which will help you remove the Jigsaw Ransomware without its pop-up blocking the appropriate security software.

As a form of file encryptor, the Jigsaw Ransomware follows the standards laid out by previous Trojans.The Jigsaw Ransomware scans for files, isolating ones of work or entertainment media formats such as GIF, DOC, or WAV. An AES encryption sequence blocks the users from opening their files while the addition of a new extension tag ('.fun') highlights them for identification. Then the Jigsaw Ransomware loads a pop-up, including a ransom demand and an embedded decryptor UI. After the victim makes a Bitcoin payment of roughly 160 USD to the provided address, the Jigsaw Ransomware verifies the transaction and runs the decryption function, returning all data to its previous state. However, the Jigsaw Ransomware is using an invalid Bitcoin address that makes any attempted ransom transactions fail currently.

However, the Jigsaw Ransomware also may include an active data-deleting function. This aspect of the payload operates on an hourly timer, but also loads automatically, whenever the Jigsaw Ransomware starts. Since the Jigsaw Ransomware starts every time the PC's operating system boots up, each restart costs the victim one thousand files' worth of data.

Solving a Threat Puzzle on a Tight Timer

The Jigsaw Ransomware gets its name from the Saw movie-themed imagery in its ransom demand. Like the death traps of that movie series, the Jigsaw Ransomware places its victims on a strict schedule to respond before receiving irreparable damage. However, the Jigsaw Ransomware also has more solutions than its cinematic universe equivalent. Security researchers already have developed a free decryptor that can restore your content, once the Jigsaw Ransomware is shut down and removed.

Because of the strict behavioral considerations with the Jigsaw Ransomware, malware researchers recommend disabling this threat before taking any other steps. You should terminate all corrupted 'firefox.exe' and 'drpbx.exe' memory processes through your Task Manager application, which will halt the ongoing timer and data deletion process. Then, you can delete the Jigsaw Ransomware with your preferred anti-malware product.

PC users without any interest in going through a potentially lengthy decryption process should, instead, consider alternative forms of data protection, such as remote backup resources. While the Jigsaw Ransomware is only the first kind of file encryptor with a confirmed ability to follow through on its threats, if its campaign proves profitable, some similar threat also may follow in its footsteps.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Jigsaw Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner*

* See Free Trial offer below. EULA and Privacy/Cookie Policy. * See Free Trial offer below. EULA and Privacy/Cookie Policy.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 55.29 KB (55296 bytes)
MD5: cd38cdcb4beafe23d450ace1d1179d92
Detection count: 36
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%SYSTEMDRIVE%\Users\<username>\appdata\local\drpbx\drpbx.exe

File name: drpbx.exe
Size: 2.07 MB (2079744 bytes)
MD5: 3cad3391255a1142c5f0724fcf8cca35
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\local\drpbx
Group: Malware file
Last Updated: November 23, 2018

%SYSTEMDRIVE%\Users\<username>\appdata\roaming\frfx\firefox.exe

File name: firefox.exe
Size: 269.31 KB (269312 bytes)
MD5: 33fcc8abbc885083646a4079903971bb
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\frfx
Group: Malware file
Last Updated: November 23, 2018

More files

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%LOCALAPPDATA%\Drpbx\drpbx.exe

Additional Information

The following directories were created:

%APPDATA%\System32Work%APPDATA%\WIND0WS%APPDATA%\frfx%LOCALAPPDATA%\Google (x86)%LOCALAPPDATA%\MICR0SOFT%appdata%\google (x86)

Jigsaw-Dat Ransomware