The Jigsaw ransomware was first spotted in April 2016, and has since received a bit of traction. It became infamous thanks to an image of the Jigsaw killer from the movie ‘Saw’ displayed on the ransom note (hence its name), and its unique way of persuading victims to comply – if payments aren’t made within an hour, Jigsaw starts deleting files from the infected machine.

 

 

While investigating the latest Jigsaw Ransomware variant (SHA256: 61AA800584B170FFE9959ACD057CCAF784BF3088E1D3AAB39D07C0793F6C03DF) and its false claims to steal users’ credentials and Skype history, we came across the mechanism the ransomware uses to check whether payments have been made.

Jigsaw provides the user with a convenient GUI:

111

 

When the user presses the “I made a payment, now give me back my files!” button, the program makes an HTTP GET request to:

 

btc.blockr[.]io/api/v1/address/balance/<bitcoin-account>

 

and as a response, gets the following json:

 

{“status”:”success”,”data”:{“address”:”<bitcoin-account>”,”balance”:0,”balance_multisig”:0},”code”:200,”message”:””}.

 

This got us thinking – what if we change the request, so it queries a different account? Perhaps one that holds the necessary amount of Bitcoins to decrypt our files? Or even better- what if we change the response to say we have the necessary amount?

 

So we did.

 

And it worked.

 

By changing the variable “balance” in the response from 0 to 10, the ransomware believes the payment was made, and starts the process of decrypting the files and removing itself from the victim’s computer.

 

This simple remedy seems to work on older Jigsaw ransomware variants as well, and leaves no trace of the malware on the infected machine.

 

The decryption tool which was developed based on the above findings can be downloaded here

 

User manual –

  1. Unpack the JPS.zip file.
  2. In the Jigsaw Puzzle Solver folder, right click ‘JPS.exe’ and click ‘run as administrator’.
  3. Follow the instructions displayed on the screen.

  1. I needed to send you a little word to finally give many thanks yet again for your personal pleasant advice you’ve contributed above.
    It’s certainly pretty open-handed with people like you to allow unhampered what
    most of us could have offered for an ebook to help make some profit for themselves, principally seeing that you might
    well have done it if you ever desired. These advice in addition worked as a great way to understand that some people have a similar keenness much like my own to understand
    somewhat more with respect to this condition. I am sure there are some
    more pleasant times in the future for people who look into your blog.

    Here is my web site: take-down release

Comments are closed.