Once a victim is infected, a countdown timer starts. If the $150 ransom isn't paid within the first hour one file is deleted. As time goes on, more than one file is deleted every hour, that number increases each time the 60 minute timer is reset. Every time the program is restarted, as many as 1,000 files are deleted!
Jigsaw encrypts 226 different file types, appending the .FUN, .BTC, and .KKK extensions to them via the AES encryption algorithm.
Decryption Tool Available
If you have been infected, the team at BleepingComputer has developed a decryption process for files that have been encrypted. They offer a free tool to perform Jigsaw decryption.
Because this ransomware strain deletes files on a timer, it's important for victims to act as quickly as possible after encryption. That means terminating the two Jigsaw processes (firefox.exe & drpbx.exe) in Task Manager and using MsConfig to remove the auto-run entry for firefox.exe in the Registry. Once users have safely disabled Jigsaw they can use the decryption tool available above from BleepingComputer.com.
Know Your Enemy
Many ransomware strains don't have a free decryption method available, but a lot of them do. If you are infected it's a good idea to check out the ID Ransomware site before doing anything else. The site will tell you what type you're dealing with and whether or not a known decryption is available without paying the ransom.