New Variant of Jigsaw Ransomware Overview
Jigsaw is a part of the ransomware family. This is a new variant of Jigsaw ransomware, recently found by the security researcher. It encrypts the victim machine by using the AES encryption method. This variant is not much different from the previous variant which we analyzed a few months back.
This ransomware targets 100+ File extensions whereas in the previous version it only targets 15 File Extensions.
In this new Variant, It appends the filename of the affected file by adding .FuckedbyGhost whereas in the previous version it appends the filename by adding .fun extension in the last. As per the ransom note, this ransomware will delete some files in every hour if the user didn’t pay the ransom amount on time.
This ransomware demands 30$ through bitcoins at following bitcoin address: 12XE5ncLCxDcXPAXWuTd3JentLZNCF3a47
Whereas, in the previous version it demands 100$ at following bitcoin address: 1Hd3tU8MDmuVotMgGJTJ7svzvPey6bfUgm
Flowchart
Technical Analysis of New Variant of Jigsaw Ransomware
File Name: Jigsaw.exe
MD5: DFABB15B3BF9BC533BD55E21B64A5FF0
File Type: .EXE
Spread Via: Not Known Yet.
Detail Description of Jigsaw Ransomware with Screenshots
On execution of this ransomware it first gets & set the %appdata% path & copy itself into at following location:
%Appdata%\Roaming\Wind0s\cRe.exe
%\Appdata%\Local\mİCROSs\Mic.exe
Thereafter, it creates the Autorun entry in the registry so, that at each boot time it gets self-started.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run cRe.exe=C:\Users\admin.admin-PC\AppData\Local\mİCROSs\Mic.exe
Figure 1 Configuration Information
As per the above configuration code, this ransomware generates the fake error message of Dot Net Framework 4.5.1 Requirement.
Figure 2 Fake Dot Net Requirement
This ransomware targets 117 file extensions:
|
.jpg
|
.wpd
|
.m3u
|
.cs
|
.xlw
|
.mpg
|
.vcf
|
.sldx
|
|
.jpeg
|
.wps
|
.m4u
|
.h
|
.ppt
|
.wmv
|
.xml
|
.sldmwav
|
|
.raw
|
.msg
|
.mid
|
.php
|
.pot
|
.vob
|
.sesrar
|
.mp3
|
|
.tif
|
.pdf
|
.mpa
|
.asp
|
.pps
|
.m3u8
|
.zip
|
.aif
|
|
.gif
|
.xls
|
.wma
|
.rb
|
.pptx
|
.mkvdat
|
.7zip
|
.iff
|
|
.png
|
.xlt
|
.ra
|
.java
|
.pptm
|
.csv
|
.svg
|
.idml
|
|
.bmp3dm
|
.xlm
|
.avi
|
.jar
|
.potx
|
.efx
|
.swf
|
.pmd
|
|
.maxaccdb
|
.xlsx
|
.mov
|
.class
|
.potm
|
.sdf
|
.fla
|
.ps
|
|
.db
|
.xlsm
|
.mp4
|
.py
|
.aet
|
.ppam
|
.as3
|
.3g2
|
|
.dbf
|
.xltx
|
.3gp
|
.jsaaf
|
.ppj
|
.ppsx
|
.astxt
|
.asf
|
|
.mdb
|
.xltm
|
.mpeg
|
.aep
|
.psd
|
.ppsm
|
.dotx
|
.asx
|
|
.pdb
|
.xlsb
|
.xll
|
.aepx
|
.inx
|
.indd
|
.xqx
|
.flv
|
|
.sqldwg
|
.xla
|
.xqx
|
.plb
|
.cpp
|
.indl
|
.ai
|
.doc
|
|
.dxfc
|
.xlam
|
.docx
|
.prel
|
.dotm
|
.indt
|
.eps
|
.dot
|
|
.rtf
|
.docm
|
.prproj
|
.indb
|
.docb
|
|
This ransomware appends the affected filename by adding .Fuckedbyghost in the last & shows the ransom screen that contains the Welcome Message with Countdown Time.
Figure 3 Ransom Message Screen
The victim can easily restore the files by going back to the old restore point because this ransomware doesn’t delete any Volume Shadow Copies.
Every time this ransomware creates the different decryption key & then it tries to connect their C&C (Command & Control) server to check whether the payment has been done or not.
As per the ransom note victim has demanded 30$ in the form of bitcoins at following bitcoin address:
12XE5ncLCxDcXPAXWuTd3JentLZNCF3a47
On closing the ransom note screen, it shows the following message to the user.
Figure 4 Bad Decision Pop Up
IOC’s
Associated File Names & Hashes:
|
File Name
|
Hash
|
|
Sample.exe
|
DFABB15B3BF9BC533BD55E21B64A5FF0
|
Associated File Paths:
%Appdata%\Roaming\Wind0s\cRe.exe
%\Appdata%\Local\mİCROSs\Mic.exe
Associated Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run cRe.exe=C:\Users\admin.admin-PC\AppData\Local\mİCROSs\Mic.exe
Associated Bitcoin Address:
12XE5ncLCxDcXPAXWuTd3JentLZNCF3a47
A quick demonstration of something similar, Detailed Technical Analysis Report of Total Wipe Out Ransomware would be interesting as well.
Are you worried about your PC health?
Check your PC Health for Free!
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
