April 15, 2016

Jigsaw - The New Ransomware Threat on the Block

As if the Saw movie franchise wasn't creepy enough, cyber criminals have decided to use the Jigsaw theme for their latest attack on unwitting users.

The ransomware encrypts a large range of file types, and then warns the user that for every hour that passes without payment, more files will be deleted.

If 72 hours passes without payment, all infected files will be wiped from the users hard drive.

Adding another layer of drama to the malware is the message:
"Try anything funny and we will delete more of your files" - For instance every time a user tries to restart their computer, mistakenly thinking that will solve the problem, another 1000 files will be deleted.

One major difference between Jigsaw and the notorious Cryptolocker is the speed with which a decryption has been developed. Malware experts including Lawrnece Abrams from bleepingcomputer.com banded together to release the decryption method laid out below.

  • The first thing that users affected by this ransomware program should do is to open the Windows Task Manager and terminate all processes named firefox.exe or drpbx.exe that were created by the ransomware.
  • Then they should launch the Windows MSConfig utility and disable the startup entry that points to %UserProfile%\AppData\Roaming\Frfx\firefox.exe.
  • This will stop the file deletion process and will prevent the malware from restarting when the system boots up.
  • Users can then download the Jigsaw Decrypter utility hosted by BleepingComputer.com and decrypt their files. When that's done it's highly recommended that users download an up-to-date anti-malware program and perform a full scan of their computer to completely remove the ransomware.

After all is said and done, this is just another example of a cyber threat that is easily beaten by having robust backups in place that supports versioning.

'Versioning' is critical as it allows users to restore their files to the state they were in prior to the attack - even if the latest version of the backup carries the encryption. Losing a days worth of work is far better than losing everything, or being slapped with a ransom.

Probax Partners have access to a range of tools including Veeam®, ShadowProtect® and FilePLUS that support backup versioning.