A new ransomware dubbed Jigsaw is holding PCs hostage. Named after the bad guy from the "Saw" franchise of horror movies, Jigsaw is a major threat as it doesn't encrypt data until users pay up. Far worse, it deletes data in an hourly cycle, until one coughs up and pays ransom. Users affected by Jigsaw still have get a free "blessing in disguise", in contrast to other ransomware there is a free decryption tool for Jigsaw, the link can be found below. People who do nothing, however, will experience Jigsaw delete files each hour. Should one decide to reboot, Jigsaw will even directly delete 1,000 files as punishment. After 72 hours of raging, Jigsaw will delete all files.
Strangely enough, the ransom varies. While some users are told to cough up 150 euro in Bitcoins, others are told to pay 20 euro, or else. Three security researchers named DemonSlay335, malware Hunter team and myself have come up with a method to help users from data death, with the release of JigsawDecryptor. In order for JigsawDecryptor to work, the affected processes need to be stopped. These processes are "drpbx.exe" and "firefox.exe", names that sound familiar behind which the ransomware is hiding. Furthermore, the boot entry for firefox.exe needs to be removed - this is done most easily using Msconfig.exe. Other files that need to be deleted are found in the folder „%UserProfile%\AppData\Roaming\Frfx\firefox.exe. After executing these steps, the JigsawDecryptor can decrypt the what Jigsaw encrypted. Jigsaw renames encrypted files with new endings such as .BTC, .FUN and .KKK.
Jigsaw is mainly being spread as an infected email attachment. As always, users shouldn't simply open files attached to an email. The JigsawDecryptor can be downloaded right here.