Jigsaw Ransomware Decrypted, Again

Jigsaw ransomware’s encryption has been thwarted by Check Point researchers that discover a fatal flaw.

The four-month-old Jigsaw ransomware has been defeated again. The ransomware, that packs an emotional punch with its creepy graphics and hallmark countdown clock, can be overcome simply by tricking the ransomware code into thinking you’ve already paid.

Researchers at Check Point published a fix for those infected by Jigsaw. The ransomware originally got its name for infecting computers and then displaying the menacing image of “Billy the Puppet” from the horror movie franchise Saw. Jigsaw threatens to delete thousands of files an hour if you don’t pay 0.4 Bitcoins or $150; restarting your PC costs you 1,000 deleted files.

The ransomware persists, despite the fact that it can be defeated by a number of different decryption tools. Check Point, which published its findings last week, said it has found the mechanism the ransomware uses to check whether payments have been made.

“When the user presses the ‘I made a payment, now give me back my files!’ button, the program makes an HTTP GET request to: btc.blockr[.]io/api/v1/address/balance/<bitcoin-account>,” Check Point wrote. “This got us thinking – what if we change the request, so it queries a different account? Perhaps one that holds the necessary amount of Bitcoins to decrypt our files? Or even better- what if we change the response to say we have the necessary amount?”

The experiment worked. “By changing the variable “balance” in the response from 0 to 10, the ransomware believes the payment was made, and starts the process of decrypting the files and removing itself from the victim’s computer,” wrote Check Point.

It’s unclear whether the attackers even care that their ransomware has failed them, assuming that an acceptable level of victims pay before realizing their ransomware can be circumvented. And that hasn’t stopped them in the past.

Just days after the first blitz of Jigsaw ransomware made its first debut, computer forensic experts at MalwareHunterTeam and individual computer forensics experts Michael Gillespie and Lawrence Abrams, develop a decryption tool that allows victims to recover their files for free.

Since then, the Jigsaw ransomware has updated its code, each time displaying different backgrounds ranging from the Hitman computer game, imagery from the Invisible Empire video, porn and its most recent incarnation of the Guy Fawkes “Anonymous” mask.

But throughout all of Jigsaws incarnations, one thing has remained and that is the encryption can be defeated relatively simply.

Abrams, who maintains the BleepingComputer website, points out that while the computer coders behind Jigsaw may not be the sharpest tools in the toolbox that doesn’t mean the ransomware shouldn’t be taken seriously.

“If you don’t know what’s going on, Jigsaw can cause some pretty serious damage to your data before you get a handle on how to defeat the encryption,” Abrams said.

Lotem Finkelsteen, team leader, Threat Intelligence Operations at Check Point believes we’ll be seeing more of Jigsaw. “The fact that security companies and independent researchers have published decryption tools for it and this did not prevent Jigsaw’s developers from creating and issuing new versions of this ransomware is telling,” he wrote in a prepared statement.

Image: Courtesy of BleepingComputer

Suggested articles

Decryption Tool Stifles Jigsaw Ransomware

Jigsaw ransomware makes big data-destructing threats to victims, but its bark may be worse than its bite now that security experts have found a way for victims to decrypt systems for free.