Jigsaw (ransomware)

Last updated
Jigsaw
Jigsaw ransomware.png
Technical nameBitcoinBlackmailer
Classification Ransomware
Isolation2016
Operating system(s) affected Windows
Filesize284 KB
Written in VB.net

Jigsaw is a form of encrypting ransomware malware created in 2016. It was initially titled "BitcoinBlackmailer", but later came to be known as "Jigsaw" due to featuring an image of Billy the Puppet from the Saw film franchise. [1] The malware encrypts computer files and gradually deletes them, demanding payment of a ransom to decrypt the files and halt the deletion. [2]

Contents

History

Jigsaw was designed in April 2016 and released a week after creation. [1] It was designed to be spread through malicious attachments in spam emails. [3] Jigsaw is activated if a user downloads the malware program which will encrypt all user files and master boot record. [4] Following this, a popup featuring Billy the Puppet will appear with the ransom demand in the style of Saw's Jigsaw (one version including the "I want to play a game" line from the franchise) for Bitcoin in exchange for decrypting the files. [5] If the ransom is not paid within one hour, one file will be deleted. [5] Following this for each hour without a ransom payment, the amount of files deleted is exponentially increased each time from a few hundred to thousands of files until the computer is wiped after 72 hours. [2] Any attempt to reboot the computer or terminate the process will result in 1,000 files being deleted. [5] A further updated version also makes threats to dox the victim by revealing their personal information online. [6]

Jigsaw activates purporting to be either Firefox or Dropbox in task manager. [2] As Jigsaw stores the decryption key statically in the binary, it can be extracted from the binary using a hex editor or .NET decompiler to remove the encryption without paying the ransom. [1]

Reception

The Register wrote that "Using horror movie images and references to cause distress in the victim is a new low." [1] In 2017, it was listed among 60 versions of ransomware that utilised evasive tactics in its activation. [7]

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

PGPCoder or GPCode is a trojan that encrypts files on the infected computer and then asks for a ransom in order to release these files, a type of behavior dubbed ransomware or cryptovirology.

Cryptovirology refers to the use of cryptography to devise particularly powerful malware, such as ransomware and asymmetric backdoors. Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. Cryptovirology employs a twist on cryptography, showing that it can also be used offensively. It can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

TeslaCrypt was a ransomware trojan. It is now defunct, and its master key was released by the developers.

Linux.Encoder is considered to be the first ransomware Trojan targeting computers running Linux. There are additional variants of this Trojan that target other Unix and Unix-like systems. Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.

<span class="mw-page-title-main">KeRanger</span>

KeRanger is a ransomware trojan horse targeting computers running macOS. Discovered on March 4, 2016, by Palo Alto Networks, it affected more than 7,000 Mac users.

CryptMix is a type of ransomware which claims that ransom fees will be donated to a children’s charity. The CryptMix threat combines large portions of other open source ransomware code: CryptoWall 3.0, CryptoWall 4.0 and CryptXXX. CryptMix was created by a group calling themselves “The Charity Team.”

TorrentLocker is a ransomware trojan targeting Microsoft Windows. It was first observed in February 2014, with at least five of its major releases made available by December 2014. The malware encrypts the victim's files in a similar manner to CryptoLocker by implementing symmetric block cipher AES where the key is encrypted with an asymmetric cipher.

<span class="mw-page-title-main">Locky</span>

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

<i>Petya</i> and <i>NotPetya</i> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

<span class="mw-page-title-main">Hitler-Ransomware</span> Form of ransomware

Hitler-Ransomware, or Hitler-Ransonware [sic], is a form of ransomware created in 2016 originating in Germany. It requests payment within one hour; otherwise, it will delete files from the infected computer.

<span class="mw-page-title-main">Kirk Ransomware</span> Ransomware malware, discovered in 2017

Kirk Ransomware, or Kirk, is malware. It encrypts files on an infected computer and demands payment for decryption in the cryptocurrency Monero. The ransomware was first discovered in 2017, by Avast researcher Jakub Kroustek.

<span class="mw-page-title-main">Rensenware</span> Joke ransomware

Rensenware is ransomware that infects Windows computers. It was created as a joke by Kangjun Heo and first appeared in 2017. Rensenware is unusual as an example of ransomware in that it does not request the user pay the creator of the virus to decrypt their files, instead requiring the user to achieve a required number of points in the bullet hell game Touhou Seirensen ~ Undefined Fantastic Object before any decryption can take place. The main window displays Minamitsu Murasa, a character from the game. Heo released a patch that neutralizes Rensenware after accidentally infecting himself with it.

<span class="mw-page-title-main">Ryuk (ransomware)</span> Type of ransomware

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

Thanos is a malicious ransomware. According to the FBI, it was created by Venezualan-French cardiologist Moises Luis Zagala Gonzalez. The malware first appeared around February 2020, and is written in the programming language C#. It works by fully encrypting the victim's files and asking for a specific sum of money, usually via CryptoCurrency such as Bitcoin. The ransomware is known to be highly advanced; evading antivirus software by rebooting the computer on safeboot. It also has a customisable interface where the attacker can modify the ransomware message, choose whether the malware will self-delete after attacking, and more. Zagala advertised the ransomware on various darknet marketplaces, where Cybercriminals are known to meet. Zagala also created Jigsaw v.2., a successor to the Jigsaw ransomware, which worked similarly to Thanos by encrypting the victim's files and asking for a ransom. This time, however, if the user tried to remove the malware from their computer or tried to reboot it, the software would "punish" the victim by erasing the entire harddrive. Emisoft released a decryptor key for Jigsaw v.2. in 2019.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

BlackCat, also known as ALPHV and Noberus is a ransomware family written in Rust, that made its first appearance in November 2021. By extension, it's also the name of the threat actors that exploits it.

References

  1. 1 2 3 4 "Saw-inspired horror slowly deletes your PC's files as you scramble to pay the ransom". The Register. Retrieved 2018-02-20.
  2. 1 2 3 Osborne, Charlie (2016-04-22). "Tick, tock: Jigsaw ransomware deletes your files as you wait". ZDNet. Retrieved 2018-02-20.
  3. "Jigsaw ransomware: Saw-inspired malware deletes files bit by bit hourly until you pay". International Business times. 2016-04-14. Retrieved 2018-02-20.
  4. "Jigsaw ransomware wants to play a game with you". Geek.com. 2016-04-13. Archived from the original on 2018-07-18. Retrieved 2018-02-20.
  5. 1 2 3 "Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom". Bleeping Computer. 2016-04-11. Retrieved 2018-02-20.
  6. Goodin, Dan (2016-06-28). "Meet Jigsaw, the ransomware that taunts victims and offers live support". Ars Technica. Retrieved 2018-02-20.
  7. "Minerva Labs Releases Evasive Malware 2017 Year in Review". Prnewswire.com. 2017-12-07. Retrieved 2018-02-20.