A new edition (did I just call it that?) of the Jigsaw Ransomware has been released that utilizes the Invisible Empire theme for its lock screen. The Invisible Empire is an art exhibit by Juha Arvid Helminen that attempts to show how uniforms can be used to hide yourself while you commit atrocities or criminal behavior.  I have to say that this theme is perfectly suited for a ransomware program.

Hitman Ransomware Locker Screen
Invisible Empire themed Jigsaw Variant

Like the previous Jigsaw ransomware infections, the Invisible Empire edition (damn I did it again) will encrypt your data with AES encryption and demand a ransom payment before it will decrypt your files. In order to pay this ransom you will be required to send payment to the assigned bitcoin address and then click on the I made a payment button. 

Unfortunately, this version will still delete your files every time you restart the process and when the timer runs down to zero.

The only major differences between this version and the standard Jigsaw is that it is uses the .payransom extension for encrypted files. Otherwise, its exactly the same as the original Jigsaw Ransomware.

I also should note that obviously the artist behind the Invisible Empire photo exhibit is not affiliated with this ransomware.

How to decrypt and remove the Jigsaw Ransomware

Thankfully, DemonSlay335was able to modify his existing Jigsaw Ransomware decryptor to also decrypt files encrypted by this version. To decrypt your files, the first thing that you should do is terminate the %UserProfile%\AppData\Roaming\Wrkms\wrkms.exe and %UserProfile%\AppData\Local\Systmd\systmd.exe processes in the Windows Task Manager to prevent any further files from being deleted.  You should then run MSConfig and disable the startup entry related to these executables. 

Once you have terminated the ransomware and disabled its startup, let's proceed with decrypting the files.  The first step is to download and extract the Jigsaw Decryptor from the following URL:

https://www.bleepingcomputer.com/download/jigsaw-decrypter/

Then double-click on the JigSawDecrypter.exe file to launch the program.  When the program launches you will be greeted with a screen similar to the one below.

Jigsaw Decrypter
Jigsaw Decrypter

To decrypt your files simply select the directory and click on the Decrypt My Files button. If you wish to decrypt the whole drive, then you can select the C: drive itself.  It is advised that you do not put a checkmark in the Delete Encrypted Files option until you have confirmed that the tool can properly decrypt your files.

When it has finished decrypting your files, the screen will appear as below.

Decryption Finished
Decryption Finished

Now that your files are decrypted, I suggest that you run an antivirus or anti-malware program to scan your computer for infections. If you need help decrypting Jigsaw files, you can ask for help in this support topic: Jigsaw Ransomware (.fun, .kkk, .btc,.porno, .gws extension) Help & Support Topic.


Files associated with the Invisible Empire Jigsaw Variant:

%UserProfile%\AppData\Local\Systmd\systmd.exe
%UserProfile%\AppData\Roaming\System32Work\
%UserProfile%\AppData\Roaming\System32Work\Address.txt
%UserProfile%\AppData\Roaming\System32Work\dr
%UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt
%UserProfile%\AppData\Roaming\Wrkms\
%UserProfile%\AppData\Roaming\Wrkms\wrkms.exe

Registry entries associated with the Invisible Empire Jigsaw Variant:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wrkms.exe	%UserProfile%\AppData\Roaming\Wrkms\wrkms.exe