Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

JIGSAW ransomware defeated once again, decrypt your files for free

If you are one of the victims of the Jigsaw ransomware there is a good news for you, experts from CheckPoint Security have defeated it once again. Let’s start the day with a  good news, the Jigsaw ransomware has been decrypted again. The JIGSAW ransomware was first spotted in April when experts noticed that the threat slowly […]

JIGSAW ransomware defeated once again, decrypt your files for free

If you are one of the victims of the Jigsaw ransomware there is a good news for you, experts from CheckPoint Security have defeated it once again.

Let’s start the day with a  good news, the Jigsaw ransomware has been decrypted again. The JIGSAW ransomware was first spotted in April when experts noticed that the threat slowly deletes victim’s files as he shilly-shally to pay the ransom. Jigsaw threatens to delete thousands of files an hour if the victim doesn’t pay 0.4 Bitcoins or $150, and if the victim restart the PC, 1,000 files will be deleted.

The BitcoinBlackmailer.exe reported that the JIGSAW ransomware will encrypt your files adding ‘.FUN’ extension. The author, in the Saw-movie style, displays the face of the character Billy the Puppet from the horror movie and then threatens to delete files if the ransom is not paid within a time limit.

JIGSAW ransomware 2

Malware experts at Check Point published a fix for machines infected by the ransomware.

The researchers were investigating the latest Jigsaw Ransomware variant (SHA256: 61AA800584B170FFE9959ACD057CCAF784BF3088E1D3AAB39D07C0793F6C03DF) and its false claims to steal users’ credentials and Skype history, we discovered the mechanism implemented by the threat to check whether payments have been made by the victim.

Once the victim decides to make the payment he will press the “I made a payment, now give me back my files!” button that triggers an HTTP GET request to:

btc.blockr[.]io/api/v1/address/balance/<bitcoin-account>

the response consists in the json structure:

{“status”:”success”,”data”:{“address”:”<bitcoin-account>”,”balance”:0,”balance_multisig”:0},”code”:200,”message”:””}.

The researchers decided to make some tests by changing fields of the json, for example submitting the address of a Bitcoin account that holds the necessary amount of Bitcoins to decrypt the files. The experts changed the variable “balance” in the response from 0 to 10, in this way the JIGSAW ransomware believes the payment was successfully completed and starts the process of decrypting the files and removing itself from the infected PC.

“This got us thinking – what if we change the request, so it queries a different account? Perhaps one that holds the necessary amount of Bitcoins to decrypt our files? Or even better- what if we change the response to say we have the necessary amount? So we did. And it worked.” reads a blog post published by CheckPoint.

Victims of the JIGSAW ransomware can download the decryption tool here and follow the instructions step by step:

  1. Unpack the JPS.zip file.
  2. In the Jigsaw Puzzle Solver folder, right click ‘JPS.exe’ and click ‘run as administrator’.
  3. Follow the instructions displayed on the screen.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – JIGSAW ransomware, malware)