26 Apr 2016
It appears there’s a new form of ransomware that was clearly created by hackers who are fans of the movie “Saw”. Going by the name Jigsaw, not only does it encrypt files and ask for money to unlock them, it also begins to delete your files while raising the ransom demand.
Taking its name from the horror film’s serial killer, the malware uses other details found in the film series including the puppet the killer communicates with, and the red countdown clock showing how much time is left of the 72 hours given to pay the hackers before all your files are deleted. As if that weren’t bad enough, as Jigsaw encrypts files it adds the .FUN extension and if you attempt to reboot your computer, it will delete 1,000 files as revenge.
Jigsaw appears to have been coded on March 23 and started being used in attacks before the end of the month. Other variants of the malware encrypt files with .BTC, .GWS, and .KKK with ransoms starting between $20 and $150 before they begin increasing.
Being hosted on the free cloud storage site 1fichier.com, the Jigsaw seems to be primarily spread through adware and grayware, like free toolbars, and some adult websites. That particular cloud storage site has in the past been associated other malware like Fareit and Coinstealer, though once notified they removed Jigsaw.
The horror elements in this malware speak more to the proliferation of ransomware and the apparent need for hackers to brand their work, rather than its sophistication. So far security experts have not only been able to retrieve the encryption key hidden within Jigsaw’s code, but also the bitcoin addresses the hackers were using to accept ransoms.
The best way to prepare for a ransomware attack is to develop robust backup and data recovery policies with those backups being stored offline, especially in the health and finance industries. It’s also a good idea for everyone to be running the latest version of their operating system and that their anti-malware software is up to date. Finally, don’t download anything from an email address you don’t recognize and be wary of unexpected emails from well-known brands with attachments.