A new variant of the Jigsaw Ransomware has been discovered by Michael Gillespie that uses a new Anonymous themed background for the ransom note. Though there has been a previous variant of Jigsaw that included a Guy Fawkes mask, this new one implies that Anonymous is involved with the ransomware.  The ransom screen's background now states "We are Anonymous. We Are Legion. We do not forget. We do not forgive. Expect us.". The good news is that Jigsaw continues to be easily decrypted and Michael's Jigsaw Decryptor has been updated to decrypt this variant.

We are Anonymous Background
We are Anonymous Background

This variant of Jigsaw will encrypt your data using AES encryption and then demand $250 USD in bitcoins to get your files back. When first started, the ransomware will install itself to %UserProfile%AppData\Local\MS\app_roaming.exe, create an autorun called Microsoft Defender,  and pretends to be the Microsoft Defender program. It will then display an alert stating that a scan has been initiated.

Fake Scan Alert
Fake Scan Alert

In the background, the ransomware will now start to encrypt the data on the local drives and will append the .xyz extension to encrypted files. That means a file that was named test.jpg will be encrypted as test.jpg.xyz.  When it has finished, it will display the Anonymous Jigsaw ransom screen.  Below is the ransom screen with all the text displayed.

Anonymous Jigsaw Ransomware Screen
Anonymous Jigsaw Ransomware Screen

As already stated, a decryptor for Jigsaw is available that a victim can use to get their files back for free. All victims should terminate the app_roaming.exe process via task manager so it does not delete any files and then use the decryptor.

Files associated with the Anonymous Jigsaw Ransomware Variant:


Registry entries associated with the Anonymous Jigsaw Ransomware Variant::

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Defender.exe	%UserProfile%AppData\Roaming\MS\Defender.exe


Related Articles:

The Week in Ransomware - August 24th 2018 - Hermes, Fox, and Ryuk

Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords