Jigsaw/CryptoHitman

[August 1st 2016]

Darren Pauli for The Register: Cisco busts ransomware rodent targeting bitcoin, cryptocoin subreddits – VXer mass posts to Reddit in sorrowful bid to make a living, Explains how “Cisco Talos intelligence boffins have laid out their chains of evidence that indicate one scumbag is behind Jigsaw, Ranscam, and the AnonPop ransomware forms.” Citing the Talos blog here.

[July 13th 2016]

David Bisson for Graham Cluley’s blog: Jigsaw ransomware decrypted yet again – using a simple trick – But don’t think the crypto-malware is down and out.

[June 13th 2016]

Trend Micro: JIGSAW Crypto-Ransomware Turns Customer-Centric, Uses Chat for Ransom Attempts. Commentary by David Bisson for Graham Cluley’s blog: Jigsaw ransomware uses live chat to relay payment instructions – Got a question? Ask a ransomware author!

Ransomware that not only encrypts files, but starts deleting them if you’re not quick enough to pay up. Fortunately, there is (at present) remediation.

• Lawrence Abrams for Bleeping Computer: Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom
• Jigsaw decryptor
• Commentary by David Bisson for Graham Cluley’s blog: Jigsaw decryption tool released for sadistic ransomware that deletes your files: No need to be cut up
• Commentary by Trendlabs: New Crypto-Ransomware JIGSAW Plays Nasty Games
• Commentary by Iain Thomson for the Register: Saw-inspired horror slowly deletes your PC’s files as you scramble to pay the ransom – Malware recruits Billy the Puppet to extort money
• Josep Albors for ESET on Jigsaw and how ransomware is becoming more aggressive with new capabilities [subsequently changed to ‘…new features’.]There is ransomware around that is more effective/efficient/’professional’ than Jigsaw, but there’s a difference between efficiency and ‘aggression’. That said, I suppose the graphic feature could be described as a capability or functionality. However, the deletion of files seems to me to be a manifestation of aggression and sheer malice rather than technological innovation. There is plenty of innovation around in ransomware, though. And sometimes people on the periphery have ideas that are subsequently taken up by major players. This probably happens more on the Dark Side, where intellectual property is less respected and unlikely to be ‘legally’ enforced.

[16th May 2016]

Jigsaw has subsequently been rebranded as ‘CryptoHitman’. It has a new lockscreen, displays pornographic images, and adds the file extension .porno to the files it encrypts. In other respects it’s identical to Jigsaw. Happily, this has enabled MalwareHunter’s Michael Gillespie to update his decryption utility to decrypt CryptoHitman-mangled files. You might also want to be aware of MalwareHunterTeam’s page for attempting to identify ransomware, if you’re not already: ID Ransomware – Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data.

See Lawrence Abrams post for Bleeping Computer for details on the decryption process – basically, terminate CryptoHitman’s file deletion processes, then download and run the utility – Jigsaw Ransomware becomes CryptoHitman with Porno Extension. Commentary by David Bisson for Graham Cluley’s blog here: Jigsaw ransomware takes a .PORNO twist and a new name – Fortunately, it’s still possible to decrypt your files.

May 19th, 2016.

• Lawrence Abrams for Bleeping Computer: Goliath Ransomware for sale on Dark Web – Linked to Jigsaw?
• David Bisson for Graham Cluley’s blog: Ransomware for sale on nonsensical dark web malware site“Everyone knows Locky! Time has come, new ransomare is arrived. Goliath is sell here”.

David Harley