[August 1st 2016]

Darren Pauli for The Register: Cisco busts ransomware rodent targeting bitcoin, cryptocoin subreddits – VXer mass posts to Reddit in sorrowful bid to make a living, Explains how “Cisco Talos intelligence boffins have laid out their chains of evidence that indicate one scumbag is behind Jigsaw, Ranscam, and the AnonPop ransomware forms.” Citing the Talos blog here.

[July 13th 2016]

David Bisson for Graham Cluley’s blog: Jigsaw ransomware decrypted yet again – using a simple trick – But don’t think the crypto-malware is down and out.

[June 13th 2016]

Trend Micro: JIGSAW Crypto-Ransomware Turns Customer-Centric, Uses Chat for Ransom Attempts. Commentary by David Bisson for Graham Cluley’s blog: Jigsaw ransomware uses live chat to relay payment instructions – Got a question? Ask a ransomware author!

Ransomware that not only encrypts files, but starts deleting them if you’re not quick enough to pay up. Fortunately, there is (at present) remediation.

[16th May 2016]

Jigsaw has subsequently been rebranded as ‘CryptoHitman’. It has a new lockscreen, displays pornographic images, and adds the file extension .porno to the files it encrypts. In other respects it’s identical to Jigsaw. Happily, this has enabled MalwareHunter’s Michael Gillespie to update his decryption utility to decrypt CryptoHitman-mangled files. You might also want to be aware of MalwareHunterTeam’s page for attempting to identify ransomware, if you’re not already: ID Ransomware – Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data.

See Lawrence Abrams post for Bleeping Computer for details on the decryption process – basically, terminate CryptoHitman’s file deletion processes, then download and run the utility – Jigsaw Ransomware becomes CryptoHitman with Porno Extension. Commentary by David Bisson for Graham Cluley’s blog here: Jigsaw ransomware takes a .PORNO twist and a new name – Fortunately, it’s still possible to decrypt your files.

May 19th, 2016.

David Harley