A series of malicious ransom attacks were carried out on computer systems in 2016. The Jigsaw Ransomware was first discovered on the 11th of April, 2016, and it was found to primarily affect Windows systems. The ransomware also offered an onWebChat chatting client address to allow people on the ransomware’s end to guide users with the payment of bitcoin. The chatting client was a publicly available service encrypted with SSL/TLS and so pinpointing the people on the other end of the chat was a difficult task to accomplish. It seems now that the Jigsaw Ransomware is back and it’s here after the same price, your bitcoin, but with new and improved tactics to get it.
The BitcoinBlackmailer Ransomware was designed in 2016 and sent out primarily through emails latching onto their attachments to compromise user data. Once the attachment was downloaded, the ransomware would take over the host system and encrypt all its files as well as any master options to boot or restore the system. Soon after this attack was complete, a pop-up would take over the screen featuring Billy the Puppet in the Saw from Jigsaw theme (hence the renaming of the virus to Jigsaw Ransomware), and the screen would show a countdown clock with deadlines and tasks given out to users. If the ransom was not paid within the first hour, a single file would be destroyed from the system; if another hour passed, a greater amount would be destroyed. This pattern would increase the number of files at stake each hour until the entire computer would be wiped in 72 hours. In addition to this, if any attempts were made at booting or restoring the computer, the ransomware would delete 1000 files and still come back as active to give hourly initiatives for the rest. A further enhanced version of this malware was also able to detect private information that the user would not like made public and threaten to do so if the ransom was not paid. Nude or inappropriate photos, private videos, and much more was at stake as the victim risked being doxed online. Only the ransom was able to prevent this from happening and only the ransom was able to decrypt and return the remaining files on the system.
According to a security report published by Norton Symantec, the ransomware was found to create the folder “%AppData%\System32Work\dr” and then create the files “%AppData%\Frfx\firefox.exe” , “%AppData%\Drpbx\drpbx.exe” , “%AppData%\System32Work\EncryptedFileList.txt” , and “%AppData%\System32Work\Address.txt”. To ensure that the ransomware would resume every time the computer was restarted unless the protocol was ended on the ransomware’s own end, this registry entry was created: HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\ “firefox.exe” = “%AppData%\ Frfx\ firefox.exe”. The ransomware was found to encrypt 122 different file extensions and add “.fun” to their ends. There was no way around removing this notorious ransomware and several mitigation guides posted online by antivirus and security companies suggested that users upgrade their security definitions and practices well ahead of risking the chance of infection.
The repurposed Jigsaw ransomware that has surfaced is far less detectable and works behind the scenes to redirect users’ bitcoin transfers to the hackers’ wallet addresses by creating lookalike address books that lead the user to believe that s/he is transferring bitcoin to his/her intended user. 8.4 bitcoin, which equates to USD $61,000, has been stolen through this ransomware as Fortinet reports, but despite this success on the part of the hackers, it seems that the code used this time around is availed from opensource databases and is far less polished than the original ransomware of 2016. This leads researchers to believe that the two attacks are not linked and that the latter is a copycat crime based upon the same fundamental principles of cryptocurrency theft.