Jigsaw crypto-ransomware deletes more files the longer you delay paying

Malware researchers have released a tool that can decrypt files affected by the new threat

Understanding how to buy bitcoins and pay ransomware authors for decryption keys is hard enough, yet some cybercriminals now expect their victims to do it in under an hour if they want all of their files back.

A new ransomware program dubbed Jigsaw encrypts users' files and then begins to progressively delete them until the victim pays the equivalent of US$150 in Bitcoin cryptocurrency.

The ransomware deletes one file after the first hour has passed and then increases the number of files it deletes in every 60-minutes cycle. If no payment has been made within 72 hours, all remaining files will be deleted.

"Try anything funny and the computer has several safety measures to delete your files," the program's creators warn in their ransom message that's accompanied by a picture of the Jigsaw killer's mask from the horror film series Saw.

That's not an idle threat. According to computer experts from tech support forum BleepingComputer.com, the ransomware program deletes 1,000 files every time the computer or its own process is restarted.

jigsaw ransom note BleepingComputer.com

The ransom note displayed by the Jigsaw ransomware program.

"This is the first time that we have seen these types of threats actually being carried out by a ransomware infection," said BleepingComputer.com founder Lawrence Abrams in a blog post.

The good news, for now, it that malware experts have devised a method to decrypt files affected by Jigsaw without paying the ransom.

The first thing that users affected by this ransomware program should do is to open the Windows Task Manager and terminate all processes named firefox.exe or drpbx.exe that were created by the ransomware, Abrams said. Then they should launch the Windows MSConfig utility and disable the startup entry that points to %UserProfile%\AppData\Roaming\Frfx\firefox.exe.

This will stop the file deletion process and will prevent the malware from restarting when the system boots up.

They can then download the Jigsaw Decrypter utility hosted by BleepingComputer.com and decrypt their files. When that's done it's highly recommended that users download an up-to-date anti-malware program and perform a full scan of their computer to completely remove the ransomware.

In November, another ransomware program dubbed Chimera threatened to leak users' files on the Internet. However, no evidence has been found that the program actually had the capability to do this.

By comparison, Jigsaw does deliver on its threats and marks a worrisome evolution of ransomware threats. While security experts managed to find a method to decrypt files this time, there's no guarantee that they'll be able to do the same for future versions. Ransomware creators are typically quick to fix their errors.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place