Jigsaw is not the first strain of ransomware threaten deleting files, but it is the first one that's actually carries out that threat. It's named after the character that appears in its ransom note: 

Jigsaw Ransom Note

Once a victim is infected, a countdown timer starts. If the $150 ransom isn't paid within the first hour one file is deleted. As time goes on, more than one file is deleted every hour, that number increases each time the 60 minute timer is reset. Every time the program is restarted, as many as 1,000 files are deleted!

Jigsaw encrypts 226 different file types, appending the .FUN, .BTC, and .KKK extensions to them via the AES encryption algorithm.

Decryption Tool Available

If you have been infected, the team at BleepingComputer has developed a decryption process for files that have been encrypted. They offer a free tool to perform Jigsaw decryption.

Because this ransomware strain deletes files on a timer, it's important for victims to act as quickly as possible after encryption. That means terminating the two Jigsaw processes (firefox.exe & drpbx.exe) in Task Manager and using MsConfig to remove the auto-run entry for firefox.exe in the Registry. Once users have safely disabled Jigsaw they can use the decryption tool available above from BleepingComputer.com.

Know Your Enemy

Many ransomware strains don't have a free decryption method available, but a lot of them do. If you are infected it's a good idea to check out the ID Ransomware site before doing anything else. The site will tell you what type you're dealing with and whether or not a known decryption is available without paying the ransom.


Is Your Network Vulnerable To Ransomware Attacks?

Find out now with KnowBe4's Ransomware Simulator "RanSim", get your results in minutes.
Get RanSim!

« Back To Ransomware Knowledgebase


Get the latest about social engineering

Subscribe to CyberheistNews