A particularly vindictive individual or group of hackers has released a new crypto-ransomware named Jigsaw, after the killer in the Saw horror films. It not only encrypts the files on your computer, but also sets a timer and deletes more files every hour that the user delays paying the ransom.
The malware targets over 120 file extension types. Once activated, a screen with Billy the puppet (Jigsaw's mouthpiece in the Saw films) tells the victim in either English or Portuguese that they have 24 hours to pay a bitcoin ransom of between $20-$200 (£14-£140) in order to decrypt their files.
As each hour passes and the victim does not pay the ransom, the crypto-ransomware deletes more files. After 72 hours has passed, the ransomware is programmed to delete all remaining files on the user's PC.
Even worse, if the user tries to game the system by forcing their PC to shut down and then restarts it, the ransomware punishes the victim by deleting a whopping 1,000 files every single time the ransomware has to relaunch and start the timer again, proving that the malware is just as vindictive as the Saw franchise's dastardly John Kramer.
There are now many types of ransomware online that infect users' computers and encrypt their files, and the only way to get the files back is to pay a ransom in bitcoins. This type of malware often threatens to deletes the victim's files if they do not pay up, but Jigsaw is the first ever ransomware to actually follow through on those threats.
Ransomware creators might be motivated by chaos, not money
Interestingly, because the various variants of Jigsaw demand different amounts of money, it almost seems that the cybercriminals who created the malware might not be motivated by money, but simply want to cause chaos.
Jigsaw is spread via spam emails with malicious attachments. Once launched on your computer, the malware pretends to be the Mozilla Firefox web browser and file storage service Dropbox by using the process names "firefox.exe" and "drpbx.exe". At the same time, the ransomware also edits the Windows Registry, adding a new entry that causes the fake firefox.exe ransomware file to launch as soon you restart your computer.
On the plus side, several security researchers, including the founder of technical support site Bleeping Computer and MalwareHunterTeam. have discovered a way that victims can decrypt the ransomware for free without having to pay the ransom or risk losing all their files.
In order to prevent further damage to your files, the victim is advised to immediately open the Task Manager in Windows and terminate all the processes relating to Firefox (firefox.exe) and Dropbox (drpbx.exe), as well as accessing MSConfig via the Run command in the Start menu and disable the start-up entry called "firefox.exe", which is basically the crypto-ransomware hiding in the PC at the location %UserProfile%AppDataRoamingFrfxfirefox.exe.
Once the ransomware and its corresponding registry entry has been terminated, you can decrypt the files that have been locked by the malware by downloading the Jigsaw Decrypter. After your files have been decrypted, you will need to use anti-virus software or anti-malware tools to scan your computer to remove Jigsaw for good.