Ransomware name : Jigsaw
File Extensions : .paytounlock , .FUN, .KKK, .GWS, or, .BTC
Using encryptions : AES-128-CBC
Ransom : 100 TO 300 USD In Bitcoins
Distribution : Spam Emails and Exploits
The underlying security demonstrates that the is pixie basic – it doesn't start any sessions with remote C&C servers and has a straightforward record structure. Upon disease it adjusts a few registry values and can accumulate some fundamental framework information about the contaminated host.
The infection relies on upon the .NET system to be introduced on the PC to run. Its conduct is run of the mill for such ransomware – it scrambles target client documents and afterward demonstrates a payment note which blackmails the casualties for a criminal installment to reestablish their records.
We have managed to extract the list that shows the affected file types:
.jpg .jpeg .raw .tif .gif .png .bmp.3dm .max.accdb .db .dbf .mdb .pdb .sql.dwg .dxf.c
.cpp .cs .h .php .asp .rb .java .jar .class .py .js.aaf .aep .aepx .plb .prel .prproj
.aet .ppj .psd .indd .indl .indt .indb .inx .idml .pmd .xqx .xqx .ai .eps .ps .svg .swf
.fla .as3 .as.txt .doc .dot .docx .docm .dotx .dotm .docb .rtf .wpd .wps .msg .pdf .xls
.xlt .xlm .xlsx .xlsm .xltx .xltm .xlsb .xla .xlam .xll .xlw .ppt .pot .pps .pptx
.pptm .potx .potm .ppam .ppsx .ppsm .sldx .sldm.wav .mp3 .aif .iff .m3u .m4u .mid
.mpa .wma .ra .avi .mov .mp4 .3gp .mpeg .3g2 .asf .asx .flv .mpg .wmv .vob .m3u8
.mkv.dat .csv .efx .sdf .vcf .xml .ses.rar .zip .7zip
.tif .gif .png .bmp.3dm .max.accdb .db .dbf .mdb .pdb .sql.dwg .dxf.c .cpp .cs .h
.php .asp .rb .java .jar .class .py .js.aaf .aep .aepx .plb .prel .prproj .aet .ppj
.psd .indd .indl .indt .indb .inx .idml .pmd .xqx .xqx .ai .eps .ps .svg .swf .fla
.as3 .as.txt .doc .dot .docx .docm .dotx .dotm .docb .rtf .wpd .wps .msg .pdf .xls
.xlt .xlm .xlsx .xlsm .xltx .xltm .xlsb .xla .xlam .xll .xlw .ppt .pot .pps .pptx
.pptm .potx .potm .ppam .ppsx .ppsm .sldx .sldm.wav .mp3 .aif .iff .m3u .m4u .mid
.mpa .wma .ra .avi .mov .mp4 .3gp .mpeg .3g2 .asf .asx .flv .mpg .wmv .vob .m3u8
.mkv.dat .csv .efx .sdf .vcf .xml .ses.rar .zip .7zip
A ransomware note is then shown to the user which contains the following message:
I want to play a game with you. Let me explain the rules:
Your personal files are being deleted. Your photos, videos, documents, etc…
But, don’t worry! It will only happen if you don’t comply.
However I’ve already encrypted your personal files, so you cannot access them.
Every hour I select some of them to delete permanently,
therefore I won’t be able to access them, either.
Are you familiar with the concept of exponential growth? Let me help you out.
It starts out slowly then increases rapidly.
During the first 24 hour you will only lose a few files,
the second day a few hundred, the third day a few thousand, and so on.
If you turn off your computer to try to close me, when I start next time
you will get 1000 files deleted as a punishment.
Yes you will want me to start next time, since I am the only one that
is capable to decrypt your personal data for you.
Now, let’s start and enjoy our little game together!
Jigsaw Ransomware Distribution
The Jigsaw Ransomware poses as a counterfeit Mozilla Firefox installer and/or updater. The binary files are distributed mainly through counterfeit download sites or spam email messages.
When encrypting a file it will add the filename to a list of encrypted files located at %UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt. It will also assign a bitcoin address and save it in the %UserProfile%\AppData\Roaming\System32Work\Address.txt file.
Other disease strategies incorporate program hihackers and noxious promotions (ads) that can prompt to connections or connections that incorporate the infection.
Files associated with the Jigsaw Ransomware
file locations in infected system
%UserProfile%\AppData\Roaming\Frfx\
file locations in infected system
%UserProfile%\AppData\Roaming\Frfx\
%UserProfile%\AppData\Roaming\Frfx\firefox.exe
%UserProfile%\AppData\Local\Drpbx\
%UserProfile%\AppData\Local\Drpbx\drpbx.exe
%UserProfile%\AppData\Roaming\System32Work\
%UserProfile%\AppData\Roaming\System32Work\Address.txt
%UserProfile%\AppData\Roaming\System32Work\dr
%UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt
Registry entries associated with the Jigsaw Ransomware
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe %UserProfile%\AppData\Roaming\Frfx\firefox.exe
How to Remove It Manually:
1) open run Window
2) type “msconfig” and then press Enter
3) Choose the tab named “Boot”
4) Tic on “Safe Boot” option and then go to “Network” under it to tick it too
5) Apply -> OK
6) Open My Computer
7) Windows 7
Click on “Organize” button
Select “Folder and search options”
Select the “View” tab
Go under “Hidden files and folders” and mark “Show hidden files and folders” option
8) Hit the following key combination: CTRL+SHIFT+ESC
9) Get over to “Processes”
10) When you find suspicious process right click on it and select “Open File Location”
11) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process”
12) Next you should go folder where the malicious file is located and delete it
13) open Run
14) In the box, write “regedit”(without the inverted commas) and hit Enter
15) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
16) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys
Further help for Windows Registry repair
17) Use present backups
18) Restore your personal files using File History
– Hit WIN Key
– Type “restore your files” in the search box
– Select “Restore your files with File History”
– Choose a folder or type the name of the file in the search bar
restore-your-personal-files-using-File-History-bestecuritysearch
– Hit the “Restore” button
19)If you have created system restore point then you can use the system restore point option and restore the system
No comments:
Post a Comment