Jigsaw Ransomware

Posted: April 12, 2016
Threat Metric
Threat Level: 10/10
Infected PCs 2,471

Jigsaw Ransomware Description


The Jigsaw Ransomware is a file encryptor that encrypts and deletes files until the victim pays a ransom through its included pop-up interface. Due to the availability of free decryptors, no ransom payments should be required for restoring the data that's modified by the Jigsaw Ransomware. However, the Jigsaw Ransomware will continue to delete digital content periodically, although one of its versions doesn't deliver any of the data-locking or erasing features, which makes paying its ransom especially frivolous. Removing the Jigsaw Ransomware with anti-malware tools as soon as possible is essential for accomplishing full data recovery.

The Jigsaw Ransomware: the Trojan Sawing Through Your Files

A favorite threat amongst ransom-based threats is to warn that refusing to pay their fee will result in incurred hardware damage, digital content deletion, or the destruction of the key required to access your files. In almost all cases, these threats are bluffs without any corresponding function. However, at least one threat author has seen fit to follow through on his threats dramatically, via the Jigsaw Ransomware. Updated versions of the Jigsaw Ransomware so far seem to be disguising themselves as installers or updates for the Chrome Web browser, which could circulate via torrents or compromised websites. Exploits more liable than most for installing the Jigsaw Ransomware and its variants include website-based attacks that use JavaScript, Flash, or similar content platforms to deliver drive-by-downloads with automatic installation processes. Disabling these advanced features while browsing any sites you don't trust implicitly and having monitoring anti-malware programs able to detect such threats can prevent your PC from becoming infected. Once compromised, malware experts recommend using a non-compromised device to boot your PC into Safe Mode, which will help you remove the Jigsaw Ransomware without its pop-up blocking the appropriate security software.

As a form of file encryptor, the Jigsaw Ransomware follows the standards laid out by previous Trojans.The Jigsaw Ransomware scans for files, isolating ones of work or entertainment media formats such as GIF, DOC, or WAV. An AES encryption sequence blocks the users from opening their files while the addition of a new extension tag ('.fun') highlights them for identification. Then the Jigsaw Ransomware loads a pop-up, including a ransom demand and an embedded decryptor UI. After the victim makes a Bitcoin payment of roughly 160 USD to the provided address, the Jigsaw Ransomware verifies the transaction and runs the decryption function, returning all data to its previous state. However, the Jigsaw Ransomware is using an invalid Bitcoin address that makes any attempted ransom transactions fail currently.

However, the Jigsaw Ransomware also may include an active data-deleting function. This aspect of the payload operates on an hourly timer, but also loads automatically, whenever the Jigsaw Ransomware starts. Since the Jigsaw Ransomware starts every time the PC's operating system boots up, each restart costs the victim one thousand files' worth of data.

Solving a Threat Puzzle on a Tight Timer

The Jigsaw Ransomware gets its name from the Saw movie-themed imagery in its ransom demand. Like the death traps of that movie series, the Jigsaw Ransomware places its victims on a strict schedule to respond before receiving irreparable damage. However, the Jigsaw Ransomware also has more solutions than its cinematic universe equivalent. Security researchers already have developed a free decryptor that can restore your content, once the Jigsaw Ransomware is shut down and removed.

Because of the strict behavioral considerations with the Jigsaw Ransomware, malware researchers recommend disabling this threat before taking any other steps. You should terminate all corrupted 'firefox.exe' and 'drpbx.exe' memory processes through your Task Manager application, which will halt the ongoing timer and data deletion process. Then, you can delete the Jigsaw Ransomware with your preferred anti-malware product.

PC users without any interest in going through a potentially lengthy decryption process should, instead, consider alternative forms of data protection, such as remote backup resources. While the Jigsaw Ransomware is only the first kind of file encryptor with a confirmed ability to follow through on its threats, if its campaign proves profitable, some similar threat also may follow in its footsteps.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Jigsaw Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 252.42 KB (252421 bytes)
MD5: e62917bbe39c6363005881fa8f9c4af8
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 16, 2017
%SYSTEMDRIVE%\users\volkanoz\appdata\local\drpbx\drpbx.exe File name: drpbx.exe
Size: 2.07 MB (2079744 bytes)
MD5: 3cad3391255a1142c5f0724fcf8cca35
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\users\volkanoz\appdata\local\drpbx\
Group: Malware file
Last Updated: November 23, 2018
%SYSTEMDRIVE%\users\ok\appdata\roaming\frfx\firefox.exe File name: firefox.exe
Size: 272.38 KB (272384 bytes)
MD5: 6c92e26b1c25a7a453fe61ca9c0d07f1
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\users\ok\appdata\roaming\frfx\
Group: Malware file
Last Updated: November 23, 2018

More files

Registry Modifications


The following newly produced Registry Values are:

Directory%APPDATA%\frfx%APPDATA%\System32Work%APPDATA%\WIND0WS%LOCALAPPDATA%\Google (x86)%LOCALAPPDATA%\MICR0SOFTRegexp file mask%LOCALAPPDATA%\Drpbx\drpbx.exe

Related Posts

Home Malware Programs Ransomware Jigsaw Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.