Jigsaw Ransomware (.fun, .kkk, .btc,.porno, .gws extension) Help & Support Topic

A new ransomware has been reported which encrypted a victim's files, and appends ".fun" to the file names. Other variants may add ".btc", ".kkk", or ".porno" extensions to file names.
 
The victim is given a ransom note with an image of the character Jigsaw from the Saw series. The current ransom is set at $150 USD, or 0.4 BTC.
 

 
 
Messages are displayed as well to intimidate the user into paying the ransom.
 

Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.

Try anything funny and the computer has several safety measures to delete your files.

It appears the ransomware may be downloaded under the guise of a Bitcoin blackmailer by the name of the executable, and a message that is displayed when the software is run.



This ransomware is currently under analysis, and any information will be posted here as it becomes public.
 
If you have been affected by this ransomware, please post your experience here, and do not pay the ransom.
 
A decrypter has been released to decrypt files hit by this ransomware for free.
 
http://www.bleepingcomputer.com/download/jigsaw-decrypter/

Edited by Grinler, 28 July 2016 - 08:38 AM.

Does this one generate any network traffic?

Other than checking for BTC transactions when a button is pressed, no.

We have received samples of new (old) variants that use the extensions ".kkk", and ".btc". The decrypter will be updated later today or tomorrow to allow decryption of those variants.

@Demonslay335,

ESET I swear to decoder file. What can he find there a suspicious?

12/04/2016 21: 24: 12; Filter HTTP;file;http://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip;modified MSIL / Packed.Confuser.J suspicious application; connection is interrupted; *****, Threat detected when attempting to access the Internet in the following application: C: \ Program Files (x86) \ Mozilla Firefox \ firefox.exe .;

It's a false-positive, I've obfuscated the program to make it harder for the criminals to find what their weakness was. I can share the source code with you privately if you'd like.

Decrypter has been updated for .kkk and .btc variants.
 
https://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip

Decrypter updated for .gws extension and a few more samples we found. Same link.

Hello.

Sorry for my english.

I help on forums in France. I need a "dropper" of jigsaw for tests. Does anyone have it to give me a private message? And other ransomware if possible.

++
 

Just got hit by a new one yesterday that encrypted all files and added .porno extension. Uploaded a sample to ID Ransomeware site , but no luck. Systems have already been restored via backup, so just throwing it out there. Was not able to find any other reported instances of this extension, but it was difficult due to the expected returns of a google search with that extension.

Just got hit by a new one yesterday that encrypted all files and added .porno extension. Uploaded a sample to ID Ransomeware site , but no luck. Systems have already been restored via backup, so just throwing it out there. Was not able to find any other reported instances of this extension, but it was difficult due to the expected returns of a google search with that extension.

I bet there was quite a bit of noise searching for that one, lol.

Do you have the ransom note? I see you may have also uploaded a "HELP_DECRYPT.PNG", which was identified as CryptoWall 3.0 and deleted. Can you please share the ransom note here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

That's the oddest part, no ransom note. The user that opened the email that set this off disconnected from the term server abruptly and looks like it stopped the run. Found a bunch of adware on her laptop, but no encrypted files local to it. The term server in question is currently off and inaccessible.  

Did you not upload the HELP_DECRYPT.PNG then? I just matched it by the IP that uploaded the only .porno sample to the site. Do you have the malicious email still?

If they were connected via RDP to the terminal server, then it would have probably ran on the server session itself. If they were just disconnected from the session, it probably would have still ran, since a terminal session usually stays logged in by default. Otherwise, if they ran the malware from their local PC, then it would only be able to encrypt any shares if they were on the same network or VPN.

P.S. I'm going to request this conversation be split to a separate topic so we can track it better.

Edited by Demonslay335, 11 May 2016 - 10:29 AM.

The help decrypt was from a separate client. I am trying to chase down the original email. When we started looking in the morning her session was disconnected but still there, so I am not sure why it stopped. It made halfway through the alphabet on the file server and just seems to have stopped.

Also, we had crypto prevent group policy in place on the affected domain.