New Crypto-Ransomware JIGSAW Plays Nasty Games

By Jasen Sumalapao

The evolution of crypto-ransomware in terms of behavior takes a step forward, and a creepy one at that. We have recently encountered a nasty crypto-ransomware variant called JIGSAW. Reminiscent to the horror film Saw, this malware toys with users by locking and deleting their files incrementally. To an extent, it instills fear and pressures users into paying the ransom. It even comes with an image of Saw’s very own Billy the puppet, and the red analog clock to boot.

It’s no longer a surprise that crypto-ransomware is the prevalent threat in today’s computing landscape, given its promise of quick ROI for the cybercriminals behind it. It’s also not surprising that many have joined this bandwagon.  These days, the name of the crypto-ransomware game is to add “unique” features or “creative” ways to instill fear and put more pressure to users to pay up, despite the fact that, when it comes to their technical routines, there’s not much difference among these malware. JIGSAW joins notable families like PETYA and CERBER that have emerged in the past couple of months alone.

Infection and distribution

Based on our analysis, JIGSAW arrives as a file downloaded from a free cloud storage service named 1fichier[.]com. This service has previously hosted other malware like the information stealer FAREIT, as well as COINSTEALER, which gathers bitcoins. We already notified 1ficher about this incident and they already removed the said malicious URLs. It can also be downloaded at hxxp://waldorftrust[.]com,  where JIGSAW is most probably bundled with a cryptominer software.

Mind games

Once the crypto-ransomware is executed, the user is greeted by an image of Billy, and the ransom note.

ringster_fig1Figure 1. JIGSAW showing ransom note and Billy the puppet

The message comes in two languages; English or Portuguese. The note introduces the idea of exponential growth, and applies it on the user’s file and the ransom amount. Recent crypto-ransomware families have ransom amounts that grow as time passes, but not with the same increments as JIGSAW. To make matters worse, it deletes a larger amount of files with every hour while the amount to be paid also increases.

JIGSAW deletes files and increases the ransom amount per hour. And with the exponential increase of files being permanently deleted, users may be pressured into paying the ransom so they may either save the remaining files, or avoid paying a larger ransom. The least amount the user can pay is US$20-150 .

Figure 2. Activated timer pressures users to pay ransom

JIGSAW is the first crypto-ransomware with a routine that creates a copy of all the user’s files, encrypts the copies into .fun files, and deletes the original. Some of its variants, however, changed the file extensions into .KKK, .BTC, and .GWS files. It encrypts the following file types:

Figure 3. File extensions encrypted by JIGSAW


Figure 4. JIGSAW changes file extensions into .BTC


Figure 5. Red highlighted files are deleted while green highlighted files are the encrypted duplicate

The ransom note also states that if the user forcibly reboots their computer, 1,000 files would be deleted and no duplicate copy will be made. When a user attempts to restart the computer, another threat is given. And in 72 hours, if the user fails to pay, all encrypted files will be deleted.


Figure 6. Restart prompt message

As scary as JIGSAW may be, its structure is still very simple. It has no new capabilities or routines as compared to other crypto-ransomware families. But whatever JIGSAW lacks in sophistication, it makes up with its deviousness. The user interface (UI) and scared tactics used are nastier and moves uses into paying the ransom.


Through our analysis, we are also able to identify porn sites as another possible infection vector, apart from PUA/adware. Another version of JIGSAW doesn’t use the Billy image. The alternate version actually shows adult images, with a message that says “YOU ARE A PORN ADDICT.STOP WATCHING SO MUCH PORN. NOW YOU HAVE TO PAY”. The ransom details remain the same as the previous one.  Another variant of JIGSAW shows the stock image of pink flowers.


Figure 7. Alternative background images of JIGSAW

Bigger picture

JIGSAW isn’t the only crypto-ransomware that’s banking on the fear factor. MAKTUBLOCKER, another recent crypto-ransomware, infects users via email through a malicious file. What’s makes the attack effective is that the mail includes the user’s name and mailing address, making it seem legitimate. What is evident is that crypto-ransomware variants are now resorting to more vicious methods of infecting more and more users, and devising new means of forcing victims to pay.


Crypto-ransomware is getting more and more difficult to avoid. That is why users should back up their data regularly and follow the 3-2-1 rule to make sure their data is secure. This also mitigates any damages occurred during the event of a ransomware. Keep in mind that paying ransom is never a guarantee that the attacker would still unlock the encrypted files.

Trend Micro endpoint solutions such as Trend Micro™ Security Trend Micro Smart Protection Suites, and  Trend Micro Worry-Free™ Business Security can protect users from this threat by detecting malicious files, and email messages before their systems get infected. These solutions are also capable of blocking all related malicious URLs that may contain malware. Systems with  Trend Micro™ Smart Protection Suites are also protected  from the this threat via Trend Micro Endpoint Application Control.

Additional insights and analysis by: Mark Manahan and Jamz Yaneza

SHA1s for related files:

  • 0C269C5A641FD479269C2F353841A5BF9910888B – Ransom_JIGSAW.A
  • DC307A673AA5EECB5C1400F1D342E03697564F98 – Ransom_JIGSAW.A
  • CE42E2C694CA4737AE68D3C9E333554C55AFEE27 – Ransom_JIGSAW.A
  • 1AD9F8695C10ADB69BDEBD6BDC39B119707D500E – Ransom_JIGSAW.B
  • CA40233610D40258539DA0212A06AF29B07C13F6 – Ransom_JIGSAW.C
  • F8431CF0A73E4EDE5B4B38185D73D8472CFE2AE7 – Ransom_JIGSAW.C
  • DCE911B1C05DA965C8733935723B88BC29D12756 – Ransom_JIGSAW.D
  • 3F6E3E5126C837F46A18EE988DBF5756C2B856AA – Ransom_JIGSAW.E
  • 92620194A581A91874A5284A775014E0D71A9DB1 – Ransom_JIGSAW.E

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New Crypto-Ransomware JIGSAW Plays Nasty Games

Read more: New Crypto-Ransomware JIGSAW Plays Nasty Games

Story added 19. April 2016, content source with full text you can find at link above.