Creepy ransomware can be stopped—for now.

You can watch this malicious cyber puppet die in front of you. But like some of the most horrifying movie villains, “Jigsaw” may come back for a sequel—this time, stronger than before.

Jigsaw is ransomware, but with a sickening twist.

An evil puppet face appears on your screen, the same face that haunted victims in the “Saw” horror movies.

Like the killer in “Saw,” Jigsaw is putting you to the test. At stake is a piece of your digital flesh—all of the files on your computer.

“I want to play a game with you,” the puppet informs you, according to Lawrence Abrams of BleepingComputer. “All your files are being deleted. Your photos, videos, documents, etc… But, don’t worry! It will only happen if you don’t comply.”

A counting clock ticks down, and you must scramble to pay in bitcoin to keep your files.

“During the first 24 hour [sic] you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on,” Jigsaw tells you. “Now, let’s start and enjoy our little game together!”

New breed

This is a new breed of ransomware and a new breed of developer, Abrams said.

“Normally, ransomware developers treat it completely like a business and do not want to do anything that discourages the victim from paying the ransom,” said Abrams.

The payment demanded may be as low as $20 to $250.

“With Jigsaw, there is also a sense that the developer is taking too much enjoyment out of the ransoming process,” he said.

Test of will

In the “Saw” movies, the villain, “Jigsaw” sets up traps where his victims will die or be seriously maimed if they do not complete his tests in time.

The ransomware Jigsaw does the same, though with your digital documents.

Typical ransomware can encrypt your files all at once, then demand payment. The files themselves are still intact, though held hostage.

“Many ransomware variants have made threats that they will release info, delete your files, or perform some other destructive action,” said Abrams. “Until Jigsaw, though, these have been idle threats.”

With Jigsaw, the destruction is real and immediate.

“First, no one likes being greeted with a scary puppet on their screen, but what makes it worse is when the program starts deleting files,” said Abrams.

If you try to shut down your computer, the puppet will send you another message, according to Trend Micro:

“You are about to make a very bad decision. Are you sure about it?”

“If you disable the program—reboot, terminate process—and start it again, it automatically removes 1000 files,” said Abrams.

Defeating Jigsaw

In “Saw III,” the movie villain is dying, after suffering from a deadly brain tumor.

The cyber Jigsaw can be stopped as well, according to Abrams.

He and other researchers did a “malware autopsy”—an analysis of the ransomware—and from it came a solution that will get your files back from the evil puppet without paying ransom, Abrams said.

His blog post explains how you can defeat it, using a special decryptor to take back your files from Jigsaw.

Freeze the ransomware

You need to terminate specific processes on your computer to freeze the ransomware, download the special decryptor mentioned in his post, and launch the program.

If all goes according to plan, you will get another message, this one much more encouraging—“Decryption finished.”

The decryption process may seem complicated to the non-expert, but the ransom process would be much more painful.

“The biggest problem is that if they want to pay the ransom, they have to get bitcoins,” said Abrams. “For many people this process is confusing and difficult, and even when you use the more legitimate sellers, it can take upwards to a week.”

“This could lead to a lot of deleted files,” he added. “The only hope is that they will do a web search for this particular ransomware and find their way to an article like mine, which explains how to terminate the process and decrypt it for free.”

From the grave

The killer from “Saw” dies, ultimately at the hands of a victim using, yes, a saw. But in the next movie, his evil springs from the grave—a specially-protected recording hidden in his stomach reveals more gruesome tests for victims. 

The ransomware Jigsaw may also find ways to strike again, despite the decryptor that renders it powerless.

“Typically, when ransomware developers learn that there is a vulnerability in their programs they either fix the issue or switch to a different encryption algorithm,” said Abrams.

The question now—will the Jigsaw developers who seem to be reveling in the game try to rework their weapon to “test” even more victims?

How it finds you

The ransomware lurks in hiding places, waiting to make the connection with your machine.

Some people may have accidentally downloaded it by installing a fake Firefox browser, according to Abrams in Threatpost.

Other victims may have downloaded a file from a free cloud storage service called “1ficher,” Jasen Sumalapao of Trend Micro wrote in a post.

“This service has previously hosted other malware like the information stealer FAREIT, as well as COINSTEALER, which gathers bitcoins,” said Sumalapao.

“We already notified 1ficher about this incident and they already removed the said malicious URLs.”

Copycat killer?

Jigsaw may also infect through porn sites, according to Trend Micro.

A variation of the Jigsaw malware exchanges the evil puppet face for adult images, and adds a new message, though the ransom process is the same.


The investigation

Researchers continue to analyze Jigsaw, looking for clues that might lead to stopping this file killer.

The ransomware came into being on March 23rd, said Andy Settle with Forcepoint, and appeared “in the wild” soon after that.

The company reverse-engineered Jigsaw and found an encryption key, along with more clues—100 bitcoin addresses used for ransom payments, according to Settle’s post.

If Jigsaw the malware returns, it may find a new way to put a stronghold on your computer.

The solution, according to Trend Micro, is to back up your files, lest this “devious” and “nasty” ransomware—just like the movie villain—rears its head again.

“Indeed, from the victim’s point of view, being hit by ransomware is an unpleasant experience,” wrote Settle. “But using horror movie images and references to cause distress in the victim is a new low.”


Main image: Jigsaw ransomware. Image credit: Bleeping Computer