Vin Ransomware Blog02

Jigsaw Ransomware which is propagating past few months with the capabilities of not only encrypting the files of the victims but also deleting the files if the ransom is not paid. A ransomware note is generated, which blackmails the victim on deletion of files for every hour on non-payment of the ransom.

b5img1

Figure 1 Jigsaw Ransomware Note with the icon of SAW character


The deletion of files for every one hour is done by starting a counter once this ransomware affects the victim’s device. The Ransomware Note warns the victim about the deletion of all the files after 72 hours if not paid.

Jigsaw ransomware scans for certain file extensions, encrypt them using AES-128-CBC encryption, and appends with .FUN, .KKK, .GWS, or .BTC extension to the filename depending on the version. A clever obfuscation technique is implemented by the ransomware during encryption.

The file types targeted by Jigsaw ransomware are as follows:

blog5 2.2

b5img2

Figure 2 Displays the list of encrypted files

Jigsaw, also sets an autorun that starts the ransomware every time the victim login to the system. In this scenario, the ransomware deletes 1000 encrypted files for every login of the victim.

Our threat analysis team was able to reverse engineer and manually deobfuscated the ransomware samples and retrieve the encryption method and the key used.

b5img3

Figure 3 Reversed the Jigsaw Sample and found Key and IV

Paramount Jigsaw Ransomware Decryptor

A ransomware decryption tool is developed by our team with the obtained encryption algorithm, key and an initial vector. This tool is provided with various options, where respective files or folders or disks can be selected for decryption. Also, the tool shows a report of the decrypted files and the location of the original file. The tool has been rigorously tested and proves to decrypt the infected files successfully.
Fig 4 shows the decryption of a single file. The decrypted file will be found in the same location of the original file.

b5img4

Figure 4 Paramount Jigsaw Ransomware Decryptor: File Decrypt

Users can also decrypt folder by folder. Once a folder is selected for decryption, a new folder is created with the name <foldername-Decrypt> and all the infected files get decrypted to that folder. Fig 5 shows the decryption of infected folder.

b5img5

Figure 5 Paramount Jigsaw Ransomware Decryptor: Folder Decrypt

User can select a disk for decryption as well. The tool can decrypt the exact file back to the same location where user can either keep the encrypted file in the location or can delete the file automatically by selecting the checkbox in the settings section in Fig 7. Fig 6 shows decryption of disk.

b5img6

Figure 6 Paramount Jigsaw Ransomware Decryptor

 “Settings” section gives the users the option for deleting a file after encryption and ignoring a .fun file in the disk. There may be cases were user will have a .fun file in the user folder where the tool can identify the extension and can ignore those files.

b5img7

Figure 7 Paramount Jigsaw Ransomware Decryptor: Settings tab

Paramount Jigsaw Ransomware Decryptor has a “Report” section which displays details about all decrypted files during the current session.

b5img8

Figure 8 Paramount Jigsaw Ransomware Decryptor: Report Section

Below screenshot compares a file before infected by Jigsaw ransomware and after ransomware decryption.

b5img9

Figure 9 Image in the left shows the file before getting encrypted and in the right shows after decryption by our tool

Paramount Jigsaw Ransomware Decryptor decrypts the file back to the original form without being lost by a single bit. Fig.10 and Fig.11 compares the properties of a file before infection and after decryption by the tool respectively.

b5img10


Figure 10 Properties of the file “ Kalimba.mp3”

b5img11

Figure 11 Properties of file after decrypting by the tool

You can download our tool from here.