Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

JIGSAW ransomware slowly deletes your files as you shilly-shally to pay the ransom

A new threat is appeared in the wild it is the JIGSAW ransomware that slowly deletes your files as you shilly-shally to pay the ransom. A new crypto-malware has appeared in the wild, its name is JIGSAW ransomware. The BitcoinBlackmailer.exe explains JIGSAW ransomware will encrypt your files adding ‘.FUN’ extension. The author, in the Saw-movie […]

JIGSAW ransomware slowly deletes your files as you shilly-shally to pay the ransom

A new threat is appeared in the wild it is the JIGSAW ransomware that slowly deletes your files as you shilly-shally to pay the ransom.

A new crypto-malware has appeared in the wild, its name is JIGSAW ransomware. The BitcoinBlackmailer.exe explains JIGSAW ransomware will encrypt your files adding ‘.FUN’ extension.

The author, in the Saw-movie style, displays the face of the character Billy the Puppet from the horror movie and then threatens to delete files if the ransom is not paid within a time limit.

JIGSAW ransomware 2

Behavior of a Machine infected by JIGSAW

Security Engineers at Forcepoint Security Labs were able to make a reverse engineering of the malware and obtain the encryption key used by JIGSAW to encrypt the file and 100 Bitcoin addresses used for payment of the ransom.

The use of horror movie images caused distress in the victim, it is a new tactic used by the malware author that also tried to obfuscate theirs .NET code to prevent analysis. Fortunately, it was easy for the experts to deobfuscate the source code allowing them a deep analysis of the JIGSAW ransomware. The malware was built with poor coding standards such that it can be easily reversed engineered by any entry-level malware analyst as the author failed to advise to strip out the text from the executable.

“Written in .NET, the malware can be reverse engineered without any great difficulty.  This helps us greatly.  So much so, that Forcepoint Security Labs are able to retrieve the encryption key (highlighted in yellow) used by the malware to encrypt the file” reads the analysis published by Forcepoint Security Labs.

The experts analyzed a number of the most recently seen variants of the JIGSAW ransomware, they took note of a number of attributes, including their sizes, time stamps (build date/time) and meta-data extracted from the images with the ExifTool.

The experts also discovered the author’s landing page as well as the JIGSAW malware kit offered for sale at $139 dollars on a Tor market place. The purchaser would get the source code for JIGSAW written in C# with step by step tutorial for deploying the malware. The malware had gone for sale 24 times since 04/03/2016.

JIGSAW ransomware 3

The sample analyzed by the experts pointed to two distinct Bitcoin addresses used for the payment of the ransomware. One of the Bitcoin addresses has never received any ransom payment, meanwhile, the second one received a total of 89$ bitcoin.

The author provided also a well-documented tutorial on how to configure and build the software.

Let me suggest to give a look to the report published by Forcepoint.

Written by: Imdadullah Mohammed

Author Bio: Imdad is an Information Security Consultant, He is also a Moderator for Pune Chapter of Null – The open security community in India and Also member of Garage4hackers. A true open source and Information Security enthusiast. His core area of expertise includes Vulnerability Assessment and Penetration Testing of the Web application, Mobile application and Networks, as well as Server Hardening.

[adrotate banner=”9″]

Edited by Pierluigi Paganini

(Security Affairs – JIGSAW ransomware, malware)