New Jigsaw Ransomware Variant Demands US$5,000 in Bitcoins

A new variant of the Jigsaw crypto-ransomware (detected by Trend Micro as RANSOM_JIGSAW.F116FN) with an Anonymous-themed background was found. Unlike the original, which asked for a ransom of around US$150, this variant encrypts data, appends the “.epic” extension, and demands $5,000 in bitcoins in order to decrypt the files. Interestingly, the ransom message also displays a routine that supposedly includes collecting the victim's credentials and email/messenger history, and threatens to send a copy to "all" the victim's contacts, but the capability has not been verified and is most likely part of its scare tactics.

Jigsaw variant ransom note, via BleepingComputer

Another Jigsaw variant was previously seen using live public chat platforms to allow victims to negotiate ransom attempts with the operator. Interestingly, the corresponding cybercriminal does not actually know when the user was infected, as the “timer” is only based on the cookie set on the affected device. If the cookie is deleted, the countdown resets to 24 hours, causing the cybercriminal to rely on the victim’s honesty when it comes to the amount to be paid.

The crypto-ransomware Jigsaw (detected by Trend Micro as RANSOM_JIGSAW.A) was first discovered in April 2016. Themed from the Saw horror movie franchise, Jigsaw plays with users by not only locking their files, but by deleting them incrementally every hour or when the program is restarted—instilling fear and paranoia to scare the victim into paying. Over time, the delay of payment will cause more than one file to be deleted every hour.

Based on further analysis, Jigsaw arrives as a file downloader from “.1fichier[.]com”, a service that had previously hosted other malware like the information stealer FAREIT, as well as COINSTEALER, which gathers bitcoins. As soon as the crypto-ransomware has been executed, an image of Billy (from the movie) is displayed along with the ransom note written in English or Portuguese. The note threatens to increase the ransom fee exponentially over time, besides deleting a larger amount of files permanently every hour of non-payment. The tactic is designed to increase the pressure for users to pay the ransom so they may rescue their remaining files or avoid paying a larger ransom. The least amount the user can pay is $20-$150.

What makes Jigsaw a little bit different from other ransomware is its routine. It creates a copy of the entire user’s files, encrypts them into “.fun”, “.kkk”, “.gws”, and “.btc” files and deletes the original. Though Jigsaw is in fact, scary, its structure remains very simple with no new capabilities and mainly relies on scare tactics to coerce users into paying the ransom.

Through further analysis, some porn sites were also used as infection vectors apart from adware. While the Billy image was not used, a very explicit alternate version of Jigsaw used shame as an extortion tactic as it displays adult images along with a message that says “You are a porn addict. Stop watching so much porn. Now you have to pay”. The ransom details are the same as the previous version with the Billy image.

Ransomware Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by crypto-ransomware such as Jigsaw.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.