Share:

By Lucas Ashbaugh

Want to play a game? Jigsaw ransomware does, and it’s going to run you $400… or you could just download the free decrypter online. Jigsaw, featuring Billy The Puppet from Saw, was first released in 2016. It not only encrypts the victim’s files but deletes them at a continuously increasing rate until a payment in bitcoin can be confirmed against the bitcoin blockchain. Now, Jigsaw has been observed again, this time delivered through scam tactics.

The Delivery
Each email starts off with a ploy about how the threat actor somehow compromised the victim’s financial accounts. After shocking and scaring victims, the emails attempt to trick them into clicking on a download link disguised as if it were a stolen bank statement. This download link uses a shortened link to evade detection and then sends the user over to the payload server, where the malware is ultimately downloaded under the guise of a file named Statement.pdf.msi.

The Malware

At $400, this rendition of Jigsaw demands more than many of its predecessors, however it remains similar otherwise. As usual, a flashy dialog pops up and slowly types out its demand. It encrypts the victim’s files and then starts deleting them at an increasing pace, as outlined in the below ransom note. This escalation of file deletions is one of the reasons Jigsaw is so dangerous, heavily pressuring victims to pay the ransom in a short time frame or suffer increasing consequences.

Upon download, the file creates two malicious executables named drpbx.exe and firefox.exe., despite the different names these files are identical, they can be found at:

  • %AppData%local%Drpbx%drpbx.exe
  • %AppData%Roaming%Frfx%firefox.exe

   

Along with these executables, Jigsaw creates a new folder at %AppData%Roaming%System32Works which contains key files:

  • EncryptedFileList.txt

This document keeps a running record of all the files that have been encrypted so far.

  • Adress.txt

The bitcoin address that must receive payment is stored here.

For anyone daring enough to disregard the malware’s threat and turn off their machine, an ominous warning pops up. If the victim power cycles their machine, Jigsaw will automatically delete 1000 files.

Jigsaw is well known for its usage of the .fun file extension on its encrypted files. It has also been previously reported to use additional file extensions such as .kkk and .btc.

Jigsaw caters to a variety of different languages, selecting its language based off the victim machine’s locale setting.

Protecting Yourself and Your Company

User training. Jigsaw still relies on an untrained user to click on the infection URL in the first place. For a trained user, these scam ploy tactics should be glaringly obvious. The ploys include choppy English, urging a user to click a suspicious link. Users that are well trained with tools like Cofense PhishMeTM know to report these emails and not click.

Indicators of Compromise

Malicious File

File Name: Statement.pdf.msi

MD5: a362de111d5dff6bcdeaf4717af268b6

SHA256: 0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca

File size: 1.1 MiB (1,175,552 bytes)

 

Malicious File

File name: firefox.exe

MD5: fba7f5f58a53322d0b85cc588cfaacd1

SHA256: 1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

Filesize: 282 KB (289,280 bytes)

 

Malicious File

File name: drpbx.exe

MD5: fba7f5f58a53322d0b85cc588cfaacd1

SHA256: 1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

Filesize: 282 KB (289,280 bytes)

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.