Jigsaw ransomware is a type of malware that encrypts files on a user’s computer and demands a ransom payment in order to decrypt them. It has some unique characteristics compared to other ransomware variants.
What is ransomware?
Ransomware is a form of malware that encrypts files on a computer or network, preventing users from accessing them. The attackers demand a ransom payment in cryptocurrency, such as Bitcoin, in exchange for the decryption key to unlock the files. Ransomware has become a lucrative criminal business, with estimates of over $1 billion paid in ransoms annually.
How does Jigsaw ransomware encrypt files?
Like other ransomware, Jigsaw gains access to a computer through various means such as phishing emails, infected websites, or drive-by downloads. Once installed, it encrypts files using AES-128 or AES-256 encryption. This is a strong military-grade encryption that renders files inaccessible without the decryption key.
Jigsaw recursively encrypts files on local drives as well as removable and network drives mapped to the infected computer. It deletes volume shadow copies on the system, preventing file recovery through Windows restore points. The encryption process is quick, taking around 20 minutes to encrypt all files on a system.
What makes Jigsaw ransomware unique?
Most ransomware variants simply encrypt files and demand payment for decryption. Jigsaw has a few differences:
- It threatens to delete encrypted files if the ransom is not paid quickly.
- It gradually deletes more files the longer the ransom goes unpaid.
- It displays a ransom note with a countdown timer showing time left before next deletion.
- It uses the .fun, .kkk, .btc, .aaa, or .xxx file extension on encrypted files.
- It spreads through infected websites rather than spam campaigns.
How does the file deletion mechanism work?
Once files are encrypted, Jigsaw sets a deadline of between 24 to 96 hours for payment. If the ransom is not paid in time, it starts permanently deleting encrypted files in batches. Typically, it deletes 20 files initially, then 50, 100, and so on.
The ransom note displays a countdown timer showing the victim how long they have left before the next deletion round. As more time passes, Jigsaw deletes larger batches of files. This tactic puts pressure on the victim to pay quickly before losing their files.
What is the purpose of the file deletion?
The file deletion mechanism seems designed to scare victims into paying the ransom quickly. By gradually deleting more data over time, it instills a sense of urgency in the victim. They may fear losing their most important files if they don’t pay right away.
The creators of Jigsaw ransomware likely believe this tactic will improve the likelihood of timely ransom payments. By threatening permanent data loss, victims may be forced to take the ransom demands seriously to avoid irrevocable damage.
How much does Jigsaw ransomware charge as a ransom?
Like most ransomware, Jigsaw ransom demands vary but are typically between 0.5 to 2 bitcoins. At current bitcoin prices, this equates to approximately $3,500 to $14,000 or more.
The ransom note provides instructions for purchasing bitcoin and making the payment. Once sent, the attackers should provide the victim with the decryption key to unlock their files. There is no guarantee, however, that the criminals will honor the agreement.
What techniques are used to spread Jigsaw ransomware?
Most ransomware is spread through massive spam email campaigns or by exploiting software vulnerabilities. Jigsaw appears to be more targeted, with initial infections occurring through compromised websites.
Attacks begin by hacking vulnerable websites and embedding malicious JavaScript or iFrame code on pages. When a visitor goes to the site, this code stealthily downloads and installs Jigsaw on their system without any action required from the user.
From there, Jigsaw can spread across networks through shared folders and drives mapped to the infected computer. However, its primary distribution is through compromised websites rather than indiscriminate email spam campaigns.
Who is behind Jigsaw ransomware attacks?
The original Jigsaw ransomware was distributed by a hacking group known as Janus Cybercrime Solutions between 2016 to 2017. However, in 2021, a new ransomware operation self-named “Jigsaw v2.0” emerged. This new group seems to reuse code and techniques from the original Jigsaw.
Very little is known about the group behind the new Jigsaw operation. Ransomware developers are difficult to track because they operate anonymously and secretively. They work hard to cover their tracks and conceal their identities and locations.
Why is it named “Jigsaw”?
The Jigsaw name seems to be a reference to the fictional character Jigsaw from the Saw horror film franchise. In the movies, Jigsaw kidnaps victims and places them in brutal traps, forcing them to inflict pain on themselves or others to survive. The traps are designed to teach his victims appreciation for life.
This aligns with the ransomware’s tactic of threatening to delete files one by one to motivate payment. The name may have been chosen to portray the ransomware as a violent, psychologically manipulative threat designed to terrorize victims into appreciating their data more.
Can files be recovered after being deleted by Jigsaw?
Unfortunately, files deleted by Jigsaw ransomware are likely gone for good. The ransomware takes care to perform a secure deletion process rather than simply removing files from the file system.
Secure deletion overwrites files with random data multiple times to prevent forensic recovery. Without paying the ransom for the decryption key, individual files deleted this way are almost certainly irrecoverable.
Mitigation strategies
Since Jigsaw delete files gradually over time, one mitigation strategy is to immediately isolate the infected computer from networks and drives to prevent further encryption. This limits the amount of data it can encrypt and delete while ransom payment is negotiated.
Using cloud backups or offline external storage can also mitigate damage by ensuring copies of files exist outside the reach of the ransomware. These backups can be used to restore data after removing the infection.
How can Jigsaw ransomware be prevented and removed?
As with most ransomware, prevention begins with cybersecurity best practices:
- Keep software patched and updated to eliminate vulnerabilities.
- Exercise caution when clicking links or downloading files.
- Use antivirus software and monitor for threats.
- Regularly back up data offline.
- Restrict, monitor, and scan privileged access.
If Jigsaw infects a system, isolating the device can help prevent further damage. Antivirus software may be able to remove the infection, but relies on having up-to-date threat definitions.
Formatting attached storage drives can help eliminate dormant infections. Jigsaw may also make changes to the system registry and create files posing as Windows components, so fully removing the threat is difficult.
Should ransom payments be made to decrypt files?
Security experts almost universally recommend against paying ransoms. There is no guarantee files will be recovered, and payments incentivize and fund criminal operations. The FBI also discourages ransom payments.
That said, organizations without backups may consider paying the ransom as a last resort to avoid permanent data loss. This should be carefully evaluated against risks and alternatives like rebuilding systems from scratch.
Conclusion
Jigsaw ransomware stands out for its vicious threat of incrementally deleting encrypted files to force prompt payment. Rather than just encrypting data, it can cause permanent damage if the ransom clock runs out. This puts significant pressure on victims who may be forced to consider paying the ransom to avoid irrevocable data loss.
While its distribution method of compromised sites makes it less pervasive than some ransomware strains, Jigsaw’s file deletion tactic allows it to induce a strong sense of urgency in victims. Backups and preparation are crucial to defend against this dangerous threat.