JIGSAW ransomware defeated once again, decrypt your files for free

Pierluigi Paganini July 12, 2016

If you are one of the victims of the Jigsaw ransomware there is a good news for you, experts from CheckPoint Security have defeated it once again.

Let’s start the day with a  good news, the Jigsaw ransomware has been decrypted again. The JIGSAW ransomware was first spotted in April when experts noticed that the threat slowly deletes victim’s files as he shilly-shally to pay the ransom. Jigsaw threatens to delete thousands of files an hour if the victim doesn’t pay 0.4 Bitcoins or $150, and if the victim restart the PC, 1,000 files will be deleted.

The BitcoinBlackmailer.exe reported that the JIGSAW ransomware will encrypt your files adding ‘.FUN’ extension. The author, in the Saw-movie style, displays the face of the character Billy the Puppet from the horror movie and then threatens to delete files if the ransom is not paid within a time limit.

JIGSAW ransomware 2

Malware experts at Check Point published a fix for machines infected by the ransomware.

The researchers were investigating the latest Jigsaw Ransomware variant (SHA256: 61AA800584B170FFE9959ACD057CCAF784BF3088E1D3AAB39D07C0793F6C03DF) and its false claims to steal users’ credentials and Skype history, we discovered the mechanism implemented by the threat to check whether payments have been made by the victim.

Once the victim decides to make the payment he will press the “I made a payment, now give me back my files!” button that triggers an HTTP GET request to:

btc.blockr[.]io/api/v1/address/balance/<bitcoin-account>

the response consists in the json structure:

{“status”:”success”,”data”:{“address”:”<bitcoin-account>”,”balance”:0,”balance_multisig”:0},”code”:200,”message”:””}.

The researchers decided to make some tests by changing fields of the json, for example submitting the address of a Bitcoin account that holds the necessary amount of Bitcoins to decrypt the files. The experts changed the variable “balance” in the response from 0 to 10, in this way the JIGSAW ransomware believes the payment was successfully completed and starts the process of decrypting the files and removing itself from the infected PC.

“This got us thinking – what if we change the request, so it queries a different account? Perhaps one that holds the necessary amount of Bitcoins to decrypt our files? Or even better- what if we change the response to say we have the necessary amount? So we did. And it worked.” reads a blog post published by CheckPoint.

Victims of the JIGSAW ransomware can download the decryption tool here and follow the instructions step by step:

  1. Unpack the JPS.zip file.
  2. In the Jigsaw Puzzle Solver folder, right click ‘JPS.exe’ and click ‘run as administrator’.
  3. Follow the instructions displayed on the screen.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – JIGSAW ransomware, malware)



you might also like

leave a comment