Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Jigsaw Ransomware (.fun, .kkk, .btc,.porno, .gws extension) Help & Support Topic


  • Please log in to reply
33 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 11 April 2016 - 09:25 AM

A new ransomware has been reported which encrypted a victim's files, and appends ".fun" to the file names. Other variants may add ".btc", ".kkk", or ".porno" extensions to file names.
 
The victim is given a ransom note with an image of the character Jigsaw from the Saw series. The current ransom is set at $150 USD, or 0.4 BTC.
 
Cfw6wVkUYAI35Ai.jpg
 
 
Messages are displayed as well to intimidate the user into paying the ransom.
 

Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.


Try anything funny and the computer has several safety measures to delete your files.


It appears the ransomware may be downloaded under the guise of a Bitcoin blackmailer by the name of the executable, and a message that is displayed when the software is run.

2016-04-11_0929.png

This ransomware is currently under analysis, and any information will be posted here as it becomes public.
 
If you have been affected by this ransomware, please post your experience here, and do not pay the ransom.
 
A decrypter has been released to decrypt files hit by this ransomware for free.
 
http://www.bleepingcomputer.com/download/jigsaw-decrypter/


Edited by Grinler, 28 July 2016 - 08:38 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 phunterSW

phunterSW

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 11 April 2016 - 11:18 AM

Does this one generate any network traffic?



#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 12 April 2016 - 09:20 AM

Other than checking for BTC transactions when a button is pressed, no.

 

We have received samples of new (old) variants that use the extensions ".kkk", and ".btc". The decrypter will be updated later today or tomorrow to allow decryption of those variants.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 al1963

al1963

  • Members
  • 839 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 12 April 2016 - 09:30 AM

@Demonslay335,

ESET I swear to decoder file. What can he find there a suspicious?

 

12/04/2016 21: 24: 12; Filter HTTP;file;http://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip;modified MSIL / Packed.Confuser.J suspicious application; connection is interrupted; *****, Threat detected when attempting to access the Internet in the following application: C: \ Program Files (x86) \ Mozilla Firefox \ firefox.exe .;



#5 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 12 April 2016 - 09:54 AM

It's a false-positive, I've obfuscated the program to make it harder for the criminals to find what their weakness was. I can share the source code with you privately if you'd like.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 12 April 2016 - 02:18 PM

Decrypter has been updated for .kkk and .btc variants.
 
https://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 13 April 2016 - 11:59 AM

Decrypter updated for .gws extension and a few more samples we found. Same link.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:58 PM

Posted 13 April 2016 - 07:01 PM

This one appears to be adding new extensions very quickly.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ric025

ric025

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 25 April 2016 - 09:26 AM

Hello.

Sorry for my english.

I help on forums in France. I need a "dropper" of jigsaw for tests. Does anyone have it to give me a private message? And other ransomware if possible.

++

 



#10 DStamm

DStamm

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 11 May 2016 - 09:43 AM

Just got hit by a new one yesterday that encrypted all files and added .porno extension. Uploaded a sample to ID Ransomeware site , but no luck. Systems have already been restored via backup, so just throwing it out there. Was not able to find any other reported instances of this extension, but it was difficult due to the expected returns of a google search with that extension.



#11 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 11 May 2016 - 10:17 AM

Just got hit by a new one yesterday that encrypted all files and added .porno extension. Uploaded a sample to ID Ransomeware site , but no luck. Systems have already been restored via backup, so just throwing it out there. Was not able to find any other reported instances of this extension, but it was difficult due to the expected returns of a google search with that extension.

 

I bet there was quite a bit of noise searching for that one, lol.

 

Do you have the ransom note? I see you may have also uploaded a "HELP_DECRYPT.PNG", which was identified as CryptoWall 3.0 and deleted. Can you please share the ransom note here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 DStamm

DStamm

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 11 May 2016 - 10:23 AM

That's the oddest part, no ransom note. The user that opened the email that set this off disconnected from the term server abruptly and looks like it stopped the run. Found a bunch of adware on her laptop, but no encrypted files local to it. The term server in question is currently off and inaccessible.  



#13 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 PM

Posted 11 May 2016 - 10:28 AM

Did you not upload the HELP_DECRYPT.PNG then? I just matched it by the IP that uploaded the only .porno sample to the site. Do you have the malicious email still?

 

If they were connected via RDP to the terminal server, then it would have probably ran on the server session itself. If they were just disconnected from the session, it probably would have still ran, since a terminal session usually stays logged in by default. Otherwise, if they ran the malware from their local PC, then it would only be able to encrypt any shares if they were on the same network or VPN.

 

P.S. I'm going to request this conversation be split to a separate topic so we can track it better.


Edited by Demonslay335, 11 May 2016 - 10:29 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 DStamm

DStamm

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 11 May 2016 - 10:37 AM

The help decrypt was from a separate client. I am trying to chase down the original email. When we started looking in the morning her session was disconnected but still there, so I am not sure why it stopped. It made halfway through the alphabet on the file server and just seems to have stopped.



#15 DStamm

DStamm

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 11 May 2016 - 10:40 AM

Also, we had crypto prevent group policy in place on the affected domain.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users