Menacing ransomware called Jigsaw threatened to delete thousands of files an hour if victims didn’t pay 0.4 Bitcoins or $150. Worse, restarting your PC, according to the attackers, would also cost victims 1,000 deleted files. The icing on the cake was a menacing image of “Billy the Puppet” from the horror movie franchise Saw and an ominous warning message.

“I want to play a game with you. Let me explain the rules: All your files are being deleted,” the ransomware note begins.

But, the Jigsaw horror show appears to be coming to an end—for now.

Researchers analyzing the malware, that include security researchers at MalwareHunterTeam and individual computer forensics experts Michael Gillespie and Lawrence Abrams, have been able to develop a decryption tool that allows victims to recover their files for free.

The trio posted instructions for anyone hit with the Jigsaw ransomware on Abrams’ BleepingComputer.com security blog that include the tool needed to decrypt files. According to Abrams, Jigsaw ransomware used AES encryption which supports a block length of 128 bits and key lengths of 128, 192, and 256 bits.

“The criminals behind this ransomware are taking just as much pleasure in toying with victims as they are taking their money,” Abrams told Threatpost in an interview. But, he said, attackers are living up their promise and are actually destroying the files if people don’t pay up.

According to researchers,  Jigsaw targets 240 different unique file extensions on infected systems and locks up documents with the .FUN, .KKK, .GWS, or, .BTC extensions. Once encrypted, criminals start a countdown clock at 60 minutes. Fail to cough-up payment in an hour and Jigsaw deletes one file. Wait another hour and two files get zapped. With each hour that passes the number of files deleted grow exponentially.

But, just because researchers have figured out a way to outsmart the ransomware authors, doesn’t mean that Jigsaw hasn’t lost its bite. “Your average Jigsaw victim is not going know where to buy a Bitcoin. The process is cumbersome and could take someone days to figure out. And by that time tens of thousands of files are going to be deleted,” Abrams said.

Jigsaw victims can avoid any files from being deleted by going into their Windows Task Manager and terminating the firefox.exe process along with the drpbx.exe processes.

According to researchers, it’s unknown how many systems have been impacted by this ransomware or the means of infection. One clue, according to Abrams, is the fact that some people have been lured into downloading Jigsaw via a fake Firefox browser installation file.

Outsmarting ransomware criminals is not common. But earlier this week, researchers said they were able to crack the Petya ransomeware and develop a decryption tool that allowed victims to generate keys to unlock encrypted files in less than 10 seconds.

“Ransomware is becoming extremely popular,” Abrams said. And because of that, ransomware authors are rushing development of code and cutting corners, making it easier for security professionals to crack. “I wouldn’t be surprise if we didn’t see variants of Petya or Jigsaw soon that simply replaced the encryption engine with something harder to bypass,” he said.

Stay tuned for a Jigsaw sequel, Abrams said.

Categories: Cryptography, Hacks, Malware, Web Security