JIGSAW ransomware defeated once again, decrypt your files for free

If you are one of the victims of the Jigsaw ransomware there is a good news for you, experts from CheckPoint Security have defeated it once again.

Let’s start the day with a good news, the Jigsaw ransomware has been decrypted again. The JIGSAW ransomware was first spotted in April when experts noticed that the threat slowly deletes victim’s files as he shilly-shally to pay the ransom. Jigsaw threatens to delete thousands of files an hour if the victim doesn’t pay 0.4 Bitcoins or $150, and if the victim restart the PC, 1,000 files will be deleted.

The BitcoinBlackmailer.exe reported that the JIGSAW ransomware will encrypt your files adding ‘.FUN’ extension. The author, in the Saw-movie style, displays the face of the character Billy the Puppet from the horror movie and then threatens to delete files if the ransom is not paid within a time limit.

Malware experts at Check Point published a fix for machines infected by the ransomware.

The researchers were investigating the latest Jigsaw Ransomware variant (SHA256: 61AA800584B170FFE9959ACD057CCAF784BF3088E1D3AAB39D07C0793F6C03DF) and its false claims to steal users’ credentials and Skype history, we discovered the mechanism implemented by the threat to check whether payments have been made by the victim.

Once the victim decides to make the payment he will press the “I made a payment, now give me back my files!” button that triggers an HTTP GET request to:

btc.blockr[.]io/api/v1/address/balance/<bitcoin-account>

the response consists in the json structure:

{“status”:”success”,”data”:{“address”:”<bitcoin-account>”,”balance”:0,”balance_multisig”:0},”code”:200,”message”:””}.

The researchers decided to make some tests by changing fields of the json, for example submitting the address of a Bitcoin account that holds the necessary amount of Bitcoins to decrypt the files. The experts changed the variable “balance” in the response from 0 to 10, in this way the JIGSAW ransomware believes the payment was successfully completed and starts the process of decrypting the files and removing itself from the infected PC.

“This got us thinking – what if we change the request, so it queries a different account? Perhaps one that holds the necessary amount of Bitcoins to decrypt our files? Or even better- what if we change the response to say we have the necessary amount? So we did. And it worked.” reads a blog post published by CheckPoint.

Victims of the JIGSAW ransomware can download the decryption tool here and follow the instructions step by step:

Unpack the JPS.zip file.
In the Jigsaw Puzzle Solver folder, right click ‘JPS.exe’ and click ‘run as administrator’.
Follow the instructions displayed on the screen.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – JIGSAW ransomware, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.