Jigsaw is named after the iconic fictional character that appears in the ransom note. It will delete files every hour and it will infect more files every hour until the user pays the ransom.
At this time, it is currently unknown how this ransomware is distributed. However, it was submitted to the Youtuber Siam Alam's Fan Made Virus Series, making it known around the community.
The ransomware virus features an image called Jigsaw. It is based off the horror film franchise SAW!
When encrypting a file, it will add the filename to a list of encrypted files located at %UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt. It will also assign a bitcoin address and save it in the %UserProfile%\AppData\Roaming\System32Work\Address.txt file. After this, Jigsaw will set an autorun that starts the ransomware each time the user logs onto Windows. Each time the ransomware starts, it will also delete 1,000 encrypted files. If the encrypted files are below 1000, it will delete all of them.
In the ransom note, there is a 60-minute timer that will count down to 0. When it reaches 0, it will delete a certain amount of files depending on how many times the counter has been reset. Each time it resets, a counter will increase, which will cause more files to be deleted on the next reset. Jigsaw deletes files every sixty minutes. It will delete more files when the program is restarted.
Every hour, Jigsaw will delete a file on the user's computer and increment a counter. Over time, this counter will cause more than one file to be deleted every hour. More destructive, however, is the amount of files that are deleted every time the ransomware starts. After the initial infection when the ransomware is restarted, whether that be a reboot or terminating the process, Jigsaw will delete a thousand files from the user's computer. This process is very destructive and is being used to pressure the victim into paying the ransom.
Through the analysis of MalwareHunterTeam, Demonslay335, and BleepinComputer, it was discovered that it is possible to decrypt files encrypted by Jigsaw. Using this information, Demonslay335 has released a decryptor that can decrypt files encrypted by Jigsaw.
To decrypt files, the first thing that the user should do is terminate the firefox.exe and drpbx.exe (These processes should not be confused with Firefox and Dropbox processes.) processes in Task Manager to prevent any further files from being deleted. The user should then run MSConfig and disable the startup entry called firefox.exe that points to the %UserProfile%\AppData\Roaming\Frfx\firefox.exe executable. Once the user has terminated the ransomware and disabled its startup, the next step is to download and extract the Jigsaw Decryptor from the following URL: https://www.bleepingcomputer.com/download/jigsaw-decrypter/ And then double-click on the JigSawDecrypter.exe file to launch the program. When Jigsaw is launched, it will scan the user's drives for certain file extensions, encrypts them using AES encryption, and append a .FUN, .KKK, .GWS, or, .BTC extension to the filename depending on the version.