Home Malware Programs Ransomware Jigsaw Ransomware

Jigsaw Ransomware

Posted: April 12, 2016

Threat Metric

Ranking: 4,859
Threat Level: 10/10
Infected PCs: 10,968
First Seen: April 12, 2016
Last Seen: October 16, 2023
OS(es) Affected: Windows


The Jigsaw Ransomware is a file encryptor that encrypts and deletes files until the victim pays a ransom through its included pop-up interface. Due to the availability of free decryptors, no ransom payments should be required for restoring the data that's modified by the Jigsaw Ransomware. However, the Jigsaw Ransomware will continue to delete digital content periodically, although one of its versions doesn't deliver any of the data-locking or erasing features, which makes paying its ransom especially frivolous. Removing the Jigsaw Ransomware with anti-malware tools as soon as possible is essential for accomplishing full data recovery.

The Jigsaw Ransomware: the Trojan Sawing Through Your Files

A favorite threat amongst ransom-based threats is to warn that refusing to pay their fee will result in incurred hardware damage, digital content deletion, or the destruction of the key required to access your files. In almost all cases, these threats are bluffs without any corresponding function. However, at least one threat author has seen fit to follow through on his threats dramatically, via the Jigsaw Ransomware. Updated versions of the Jigsaw Ransomware so far seem to be disguising themselves as installers or updates for the Chrome Web browser, which could circulate via torrents or compromised websites. Exploits more liable than most for installing the Jigsaw Ransomware and its variants include website-based attacks that use JavaScript, Flash, or similar content platforms to deliver drive-by-downloads with automatic installation processes. Disabling these advanced features while browsing any sites you don't trust implicitly and having monitoring anti-malware programs able to detect such threats can prevent your PC from becoming infected. Once compromised, malware experts recommend using a non-compromised device to boot your PC into Safe Mode, which will help you remove the Jigsaw Ransomware without its pop-up blocking the appropriate security software.

As a form of file encryptor, the Jigsaw Ransomware follows the standards laid out by previous Trojans.The Jigsaw Ransomware scans for files, isolating ones of work or entertainment media formats such as GIF, DOC, or WAV. An AES encryption sequence blocks the users from opening their files while the addition of a new extension tag ('.fun') highlights them for identification. Then the Jigsaw Ransomware loads a pop-up, including a ransom demand and an embedded decryptor UI. After the victim makes a Bitcoin payment of roughly 160 USD to the provided address, the Jigsaw Ransomware verifies the transaction and runs the decryption function, returning all data to its previous state. However, the Jigsaw Ransomware is using an invalid Bitcoin address that makes any attempted ransom transactions fail currently.

However, the Jigsaw Ransomware also may include an active data-deleting function. This aspect of the payload operates on an hourly timer, but also loads automatically, whenever the Jigsaw Ransomware starts. Since the Jigsaw Ransomware starts every time the PC's operating system boots up, each restart costs the victim one thousand files' worth of data.

Solving a Threat Puzzle on a Tight Timer

The Jigsaw Ransomware gets its name from the Saw movie-themed imagery in its ransom demand. Like the death traps of that movie series, the Jigsaw Ransomware places its victims on a strict schedule to respond before receiving irreparable damage. However, the Jigsaw Ransomware also has more solutions than its cinematic universe equivalent. Security researchers already have developed a free decryptor that can restore your content, once the Jigsaw Ransomware is shut down and removed.

Because of the strict behavioral considerations with the Jigsaw Ransomware, malware researchers recommend disabling this threat before taking any other steps. You should terminate all corrupted 'firefox.exe' and 'drpbx.exe' memory processes through your Task Manager application, which will halt the ongoing timer and data deletion process. Then, you can delete the Jigsaw Ransomware with your preferred anti-malware product.

PC users without any interest in going through a potentially lengthy decryption process should, instead, consider alternative forms of data protection, such as remote backup resources. While the Jigsaw Ransomware is only the first kind of file encryptor with a confirmed ability to follow through on its threats, if its campaign proves profitable, some similar threat also may follow in its footsteps.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 163.84 KB (163840 bytes)
MD5: 163811311d2ed56d0ac56cb1ad158a26
Detection count: 74
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 1, 2017
file.exe File name: file.exe
Size: 252.42 KB (252421 bytes)
MD5: e62917bbe39c6363005881fa8f9c4af8
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 16, 2017
file.exe File name: file.exe
Size: 55.29 KB (55296 bytes)
MD5: cd38cdcb4beafe23d450ace1d1179d92
Detection count: 36
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%SYSTEMDRIVE%\Users\<username>\appdata\local\drpbx\drpbx.exe File name: drpbx.exe
Size: 2.07 MB (2079744 bytes)
MD5: 3cad3391255a1142c5f0724fcf8cca35
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\local\drpbx
Group: Malware file
Last Updated: November 23, 2018
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\frfx\firefox.exe File name: firefox.exe
Size: 272.38 KB (272384 bytes)
MD5: 6c92e26b1c25a7a453fe61ca9c0d07f1
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\frfx
Group: Malware file
Last Updated: November 23, 2018
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\frfx\firefox.exe File name: firefox.exe
Size: 269.31 KB (269312 bytes)
MD5: 33fcc8abbc885083646a4079903971bb
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\frfx
Group: Malware file
Last Updated: November 23, 2018

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%LOCALAPPDATA%\Drpbx\drpbx.exe

Additional Information

The following directories were created:
%APPDATA%\System32Work%APPDATA%\WIND0WS%APPDATA%\frfx%LOCALAPPDATA%\Google (x86)%LOCALAPPDATA%\MICR0SOFT%appdata%\google (x86)

Related Posts

Loading...