The evolution of crypto-ransomware in terms of behavior takes a step forward, and a creepy one at that. We have recently encountered a nasty crypto-ransomware family called JIGSAW. Reminiscent to the horror film Saw, this malware toys with users by locking and deleting their files incrementally. To an extent, it instills fear and pressures users into paying the ransom. It even comes with an image of Saw’s very own Billy the puppet, and the red digital clock to boot.
It’s no longer a surprise that crypto-ransomware is the prevalent threat in today’s computing landscape, given its promise of quick ROI for the cybercriminals behind it. It’s also not surprising that many have joined this bandwagon. These days, the name of the crypto-ransomware game is to add “unique” features or “creative” ways to instill fear and put more pressure to users to pay up, despite the fact that, when it comes to their technical routines, there’s not much difference among these malware. JIGSAW joins notable families like PETYA and CERBER that have emerged in the past couple of months alone.
Infection and distribution
Based on our analysis, JIGSAW arrives as a file downloaded from a free cloud storage service named 1fichier[.]com. This service has previously hosted other malware like the information stealer FAREIT, as well as COINSTEALER, which gathers bitcoins. We already notified 1ficher about this incident and they already removed the said malicious URLs. It can also be downloaded at hxxp://waldorftrust[.]com, where JIGSAW is most probably bundled with a cryptominer software.
Once the crypto-ransomware is executed, the user is greeted by an image of Billy, and the ransom note.
The message comes in two languages; English or Portuguese. The note introduces the idea of exponential growth, and applies it on the user’s file and the ransom amount. Recent crypto-ransomware families have ransom amounts that grow as time passes, but not with the same increments as JIGSAW. To make matters worse, it deletes a larger amount of files with every hour while the amount to be paid also increases.
JIGSAW deletes files and increases the ransom amount per hour. And with the exponential increase of files being permanently deleted, users may be pressured into paying the ransom so they may either save the remaining files, or avoid paying a larger ransom. The least amount the user can pay is US$20-150 .
JIGSAW is the first crypto-ransomware with a routine that creates a copy of all the user’s files, encrypts the copies into .fun files, and deletes the original. Some of its variants, however, changed the file extensions into .KKK, .BTC, and .GWS files. It encrypts the following file types:
Figure 4. JIGSAW changes file extensions into .BTC
Figure 5. Red highlighted files are deleted while green highlighted files are the encrypted duplicate
The ransom note also states that if the user forcibly reboots their computer, 1,000 files would be deleted and no duplicate copy will be made. When a user attempts to restart the computer, another threat is given. And in 72 hours, if the user fails to pay, all encrypted files will be deleted.
Figure 6. Restart prompt message
As scary as JIGSAW may be, its structure is still very simple. It has no new capabilities or routines as compared to other crypto-ransomware families. But whatever JIGSAW lacks in sophistication, it makes up with its deviousness. The user interface (UI) and scare tactics used are nastier and moves users into paying the ransom.
Through our analysis, we are also able to identify porn sites as another possible infection vector, apart from PUA/adware. Another version of JIGSAW doesn’t use the Billy image. The alternate version actually shows adult images, with a message that says “YOU ARE A PORN ADDICT.STOP WATCHING SO MUCH PORN. NOW YOU HAVE TO PAY”. The ransom details remain the same as the previous one. Another variant of JIGSAW shows the stock image of pink flowers.
Figure 7. Alternative background images of JIGSAW
JIGSAW isn’t the only crypto-ransomware that’s banking on the fear factor. MAKTUBLOCKER, another recent crypto-ransomware, infects users via email through a malicious file. What’s makes the attack effective is that the mail includes the user’s name and mailing address, making it seem legitimate. What is evident is that crypto-ransomware families are now resorting to more vicious methods of infecting more and more users, and devising new means of forcing victims to pay.
Crypto-ransomware is getting more and more difficult to avoid. That is why users should back up their data regularly and follow the 3-2-1 rule to make sure their data is secure. This also mitigates any damages occurred during the event of a ransomware. Keep in mind that paying ransom is never a guarantee that the attacker would still unlock the encrypted files.
Trend Micro endpoint solutions such as Trend Micro™ Security, Trend Micro™ Smart Protection Suites, and Trend Micro Worry-Free™ Business Security can protect users from this threat by detecting malicious files, and email messages before their systems get infected. These solutions are also capable of blocking all related malicious URLs that may contain malware. Systems with Trend Micro™ Smart Protection Suites are also protected from this threat via Trend Micro Endpoint Application Control.
With additional insights and analysis by: Mark Manahan and Jamz Yaneza
SHA1s for related files:
- 0C269C5A641FD479269C2F353841A5BF9910888B – Ransom_JIGSAW.A
- DC307A673AA5EECB5C1400F1D342E03697564F98 – Ransom_JIGSAW.A
- CE42E2C694CA4737AE68D3C9E333554C55AFEE27 – Ransom_JIGSAW.A
- 1AD9F8695C10ADB69BDEBD6BDC39B119707D500E – Ransom_JIGSAW.B
- CA40233610D40258539DA0212A06AF29B07C13F6 – Ransom_JIGSAW.C
- F8431CF0A73E4EDE5B4B38185D73D8472CFE2AE7 – Ransom_JIGSAW.C
- DCE911B1C05DA965C8733935723B88BC29D12756 – Ransom_JIGSAW.D
- 3F6E3E5126C837F46A18EE988DBF5756C2B856AA – Ransom_JIGSAW.E
- 92620194A581A91874A5284A775014E0D71A9DB1 – Ransom_JIGSAW.E
Update as of April 21, 2016, 3:30 P.M. PDT:
We have seen a new version of this ransomware dubbed JIGSAW 2.0 one month after the original was detected. Unlike it’s predecessor, JIGSAW 2.0 uses Confuser to obfuscate its code. The presence of an anti-debugging technique was also found. It is also possible for the new version to terminate or disable forensic tools and windows system utilities such as:
The sample we recovered failed to encrypt any file and kept crashing. This could mean that JIGSAW 2.0 is still on its testing and development phase.
With analysis by Ruby Santos
Additional SHA1s for related files:
- 5d6eeeffe8997aab2b2f38f81ed117b0e1b458d9 Ransom_JIGSAW.F
- 4e647721d4b98b00ce1430241b47348c81837f33 Ransom_JIGSAW.F
- ebb78d5b1e0734a9de81b4c0e4168de8b83ddb7f Ransom_JIGSAW.F
- 4c7b4e20d1cba5a88e74daec7c7577d68feae7f1 Ransom_JIGSAW.G
- ed42fd4a6cf5f813b3640144b456c6aaa9fef3e2 Ransom_JIGSAW.G