Jump to content

Jigsaw Ransomware Decrypted, Again


Recommended Posts

This is a solution for one type of ransomware, but if you get it, you'll be glad you saw this.




"The four-month-old Jigsaw ransomware has been defeated again. The ransomware, that packs an emotional punch with its creepy graphics and hallmark countdown clock, can be overcome simply by tricking the ransomware code into thinking you’ve already paid.


Researchers at Check Point published a fix for those infected by Jigsaw. The ransomware originally got is name for infecting computers and then displaying the menacing image of “Billy the Puppet” from the horror movie franchise Saw. Jigsaw threatens to delete thousands of files an hour if you don’t pay 0.4 Bitcoins or $150; restarting your PC costs you 1,000 deleted files.


The ransomware persists, despite the fact that it can be defeated by a number of different decryption tools. Check Point, which published its findings last week, said it has found the mechanism the ransomware uses to check whether payments have been made.


“When the user presses the ‘I made a payment, now give me back my files!’ button, the program makes an HTTP GET request to: btc.blockr[.]io/api/v1/address/balance/<bitcoin-account>,” Check Point wrote. “This got us thinking – what if we change the request, so it queries a different account? Perhaps one that holds the necessary amount of Bitcoins to decrypt our files? Or even better- what if we change the response to say we have the necessary amount?”


The experiment worked. “By changing the variable “balance” in the response from 0 to 10, the ransomware believes the payment was made, and starts the process of decrypting the files and removing itself from the victim’s computer,” wrote Check Point.


Abrams, who maintains the BleepingComputer website, points out that while the computer coders behind Jigsaw may not be the sharpest tools in the toolbox that doesn’t mean the ransomware shouldn’t be taken seriously.


“If you don’t know what’s going on, Jigsaw can cause some pretty serious damage to your data before you get a handle on how to defeat the encryption,” Abrams said."


More details and resources here: https://threatpost.com/jigsaw-ransomware-decrypted-again/119186/

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...