Jigsaw ransomware is a Windows-based form of malware that asks: do you want to play a game? Having arrived on the hacker scene in 2016, this ransomware is themed around the popular, and creepy, Billy the Puppet character from the horror movie franchise “Saw.”
After getting over the initial shock of a ransomware based around a puppet, you’ll probably ask yourself: how does Jigsaw ransomware work? This ransomware meets new victims with the tried-and-true ransomware approach: an attachment in a spam email. Once the program is downloaded, the Jigsaw ransomware attack begins, and the user’s files and entire hard drive become encrypted—in other words, completely useless.
So, who has the decryption key? The attacker pulling the strings, so to speak, claims to be the only one who has it (more on that later), and they won’t give it away until the infected user pays up. Specifically, they want their payment in Bitcoin, hence the ransomware’s original name: “BitcoinBlackmailer.”
But if all the Jigsaw ransomware attack did was encrypt your files, it wouldn’t be the end of the world. That’s why after encrypting your files, a window with an ominous black background appears. It contains a picture of Billy the Puppet and the ransom note in eerie green text. A countdown timer beneath the note starts ticking. At the bottom, there’s a blockchain address victims must send $150 worth of Bitcoin to in order to receive a file decryption key.
Finally, there’s a label warning you how many of your encrypted files will be deleted, and a button to view which files are next on the chopping block. Once the countdown timer ends, the Jigsaw ransomware deletes however many encrypted files are on the docket. The timer resets, the number of files to be deleted next time increases exponentially, and the process begins anew. And if you haven’t paid the ransom within 72 hours, the program deletes each and every file on your computer.
This vicious cycle, combined with the unsettling Billy the Puppet, is meant to pressure victims into giving hackers what they want before finding a way to remove the malware from their computer. Worse yet, Jigsaw ransomware has a failsafe built in: when you attempt to close the program or restart your computer, it will automatically delete up to 1000 of your files in an instant.
The Jigsaw ransomware executable likes to disguise itself on the user’s task manager as either Firefox or Dropbox. So if you see Jigsaw’s creepy face lurking in a window on your home screen, check your task manager if you’ve got any doubts left that you’ve been infected.
If you’re technically savvy, you can actually reverse engineer the Jigsaw ransomware (it’s written in the .NET software framework) to find the decryption key; believe it or not, the malware developer left it in the source code! You can also download a decryption tool found online which is built specifically to combat Jigsaw, then use a malware removal tool to remove the program itself.
Remember: stay vigilant against the threat of Jigsaw ransomware attacks. Only open emails from senders that you trust, and always check the exact spelling of email addresses. If an email purports to be from a respected brand but is riddled with spelling errors, there’s a pretty good chance you are being phished.
If you’re looking to protect your web assets from this killer of a cyberthreat, consider migrating your assets over to a non-Windows-based server solution. Since Jigsaw ransomware is only capable of running on Windows devices, a non-Windows machine containing your files would be insulated from the threat posed by Billy the Puppet.
Now that you know the Jigsaw ransomware is neither trick nor treat, you’re ready to defend yourself and your organization against cybercriminals year-round. Read “What Is Ransomware?” to learn how hackers hijack and hold sites hostage—and which four steps can ensure yours will be protected.