By Lucas Ashbaugh
Want to play a game? Jigsaw ransomware does, and it’s going to run you $400… or you could just download the free decrypter online. Jigsaw, featuring Billy The Puppet from Saw, was first released in 2016. It not only encrypts the victim’s files but deletes them at a continuously increasing rate until a payment in bitcoin can be confirmed against the bitcoin blockchain. Now, Jigsaw has been observed again, this time delivered through scam tactics.
Each email starts off with a ploy about how the threat actor somehow compromised the victim’s financial accounts. After shocking and scaring victims, the emails attempt to trick them into clicking on a download link disguised as if it were a stolen bank statement. This download link uses a shortened link to evade detection and then sends the user over to the payload server, where the malware is ultimately downloaded under the guise of a file named Statement.pdf.msi.
At $400, this rendition of Jigsaw demands more than many of its predecessors, however it remains similar otherwise. As usual, a flashy dialog pops up and slowly types out its demand. It encrypts the victim’s files and then starts deleting them at an increasing pace, as outlined in the below ransom note. This escalation of file deletions is one of the reasons Jigsaw is so dangerous, heavily pressuring victims to pay the ransom in a short time frame or suffer increasing consequences.
Upon download, the file creates two malicious executables named drpbx.exe and firefox.exe., despite the different names these files are identical, they can be found at:
Along with these executables, Jigsaw creates a new folder at %AppData%Roaming%System32Works which contains key files:
This document keeps a running record of all the files that have been encrypted so far.
The bitcoin address that must receive payment is stored here.
For anyone daring enough to disregard the malware’s threat and turn off their machine, an ominous warning pops up. If the victim power cycles their machine, Jigsaw will automatically delete 1000 files.
Jigsaw is well known for its usage of the .fun file extension on its encrypted files. It has also been previously reported to use additional file extensions such as .kkk and .btc.
Jigsaw caters to a variety of different languages, selecting its language based off the victim machine’s locale setting.
Protecting Yourself and Your Company
User training. Jigsaw still relies on an untrained user to click on the infection URL in the first place. For a trained user, these scam ploy tactics should be glaringly obvious. The ploys include choppy English, urging a user to click a suspicious link. Users that are well trained with tools like Cofense PhishMeTM know to report these emails and not click.
Indicators of Compromise
File Name: Statement.pdf.msi
File size: 1.1 MiB (1,175,552 bytes)
File name: firefox.exe
Filesize: 282 KB (289,280 bytes)
File name: drpbx.exe
Filesize: 282 KB (289,280 bytes)
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.