1. How Jigsaw Ransomware modifies files
  2. What file extensions Jigsaw Ransomware targets
  3. Download Jigsaw Ransomware Removal Tool
  4. Get decryption tool for .onion, .LoLSec, .fun or .cat files
  5. Recover encrypted files with Stellar Data Recovery Professional
  6. Restore encrypted files with Windows Previous Versions
  7. Restore files with Shadow Explorer
  8. How to protect from threats like Jigsaw Ransomware

What is Jigsaw Ransomware

Jigsaw Ransomware is widely-spread family of ransomware. Ransomware is designed to encrypt files on a victim’s computer, rendering them inaccessible, and then demands a ransom payment in exchange for the decryption key needed to restore the files. Jigsaw Ransomware gained attention in April 2016 when it was first discovered. It was named after the iconic character from the movie “Saw” due to its use of an image of the character as its logo. Jigsaw Ransomware targets Windows-based systems and spreads through various methods such as malicious email attachments, infected downloads, or exploit kits. Once a computer is infected with Jigsaw Ransomware, it begins encrypting files on the system, including documents, images, videos, and other important data. It then displays a ransom note on the victim’s screen, demanding a payment, usually in Bitcoin, within a specified time frame. If the victim fails to pay the ransom within the given time, Jigsaw Ransomware threatens to delete a portion of the encrypted files as a form of punishment. It also displays a countdown timer, adding a psychological element of urgency. Below are examples of Jigsaw ransom notes:

sample 1sample 2sample 3sample 4
Your computer files have been encrypted. Your photos, videos, documents, etc…
But, don’t worry! I have not deleted them, yet.
You have 24 hours to pay 150 USD in Bitcoins to get the decryption key.
Every hour files will be deleted. Increasing in amount every time.
After 72 hours all that are left will be deleted.
If you do not have bitcoins Google the website localbitcoins.
Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.
Send to the Bitcoins address specified.
Within two minutes of receiving your payments your computer will receive the decryption key and return to normal.
Try anything funny and the computer has several safety measures to delete your files.
As soon as the payment is received the crypt files will be returned to normal.
Thank you.
I want to play a game with you. Let me explain the rules: All your files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access them. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when I start next time you will get 1000 files deleted as a punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together!
Hello, I’m nice Jigsaw or more commonly known as Jigsaws twin.
Unfortunately all of your personal files (pictures, documents, etc...) have been encrypted by me, an evil computer virus know as 'Ransomeware'.
Now now, not to worry I'm going to let you restore them but only if you agree to stop downloading unsafe applications off the internet.
lf you continue to do so may end up with a virus way worse than me! You might even end up meeting my infamous brother Jigsaw :(
While you're at it, you can also read the small article below by Google’s security team on how to stay safe online.
Oh yeah I almost forgot! In order for me to decrypt your files you must read the two articles below, nonce you have click the "Get My Decryption Key" button.
Then enter in your decryption key and click the "Decrypt My Files" button.
Eventually all of your files will be decrypted :)
If the timer reaches zero then all of your personal files will be deleted because you were too lazy to read two articles.
So User do you want to play a game?
Greeting and salutations, Blue Team.
Your personal files are deleting. Your company intellictual property is belonging to us now...
But, Red Team is not being so hearless. It will only happen if you don't pay ransom.
However we has encrypting so as not you can access them.
Every 10 minutes we are selects some of them to deleted permanently, therefore we cannot accessing them, either.
While Red Team is being merciful, Red Team is not without limiting patience.
We starts out slowmess then increasing delted files every 10 minutes.
This is to be helping you with the decision to pay ransom and recover datas.
the next a few hundred, and a few thousand, and so on. You are getting the breeze, no?
If you are turning off your computer or closing window, when malware start next time we will 1000 files deleted as way of punishmenting you.
You wil be wanting malware to start next time, since only way that is capable to decrypting your personal datas for you.
Please be sending all payments to redteam@yolosecfamework.com
Also including unique hash in text box below or not know who to decrypted.
Send a picture of the blue team holding sign that say 'Red Team Rules' to:
***

It’s significant to note that paying the ransom does not guarantee that the files will be decrypted or that the attacker will uphold their end of the bargain. Additionally, by paying the ransom, victims contribute to the profitability of ransomware operations, encouraging further criminal activity. Since Jigsaw Ransomware was discovered, security experts and antivirus companies have developed tools and methods to decrypt files affected by this specific ransomware strain. However, it’s always recommended to practice preventive measures such as regularly backing up important data, keeping software and operating systems up to date, and employing robust security software to minimize the risk of falling victim to ransomware attacks.

How Jigsaw Ransomware modifies encrypted files

Jigsaw Ransomware modifies file extensions by renaming the encrypted files and appending a new extension to their original filenames. The exact extension used by Jigsaw Ransomware may vary across different versions or variants of the malware. Typically, Jigsaw Ransomware employs a random or unique file extension to mark the encrypted files. For example, a file named “document.docx” could be renamed to something like “document.docx.encrypted” or “document.docx.[random_extension]”. The purpose of modifying file extensions is to make it clear to the victim that their files have been encrypted and to create a connection between the encrypted files and the ransom note displayed on the screen. It’s worth noting that file extensions alone do not determine the encryption status of a file. The actual encryption process involves modifying the file content, making it inaccessible without the decryption key. Changing the file extension is just one way for the ransomware to visually indicate the presence of encryption to the victim. Here is the list of known extensions:

What file extensions it targets

This list may vary depending on the version of Jigsaw, but in general, the purpose of ransomware is to encrypt most valuable data, while keeping the system operational, so the victim can pay the ransom. That’s why it targets photos, documents, archives, e-mails, projects etc. Here is the list of extensions known to be attacked by Jigsaw:

How to remove Jigsaw Ransomware

Download Removal Tool

Download Removal Tool

To remove Jigsaw Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of Jigsaw Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.

Alternative Removal Tool

Download Norton Antivirus

To remove Jigsaw Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of Jigsaw Ransomware and prevents future infections by similar viruses.

Jigsaw Ransomware files:


C:\Users\User\AppData\Roaming\Frfx\firefox.exe
C:\Users\User\AppData\Local\Drpbx\drpbx.exe
{randomname}.exe

Jigsaw Ransomware registry keys:

no information

How to decrypt and restore .onion, .LoLSec, .fun or .cat files

Use automated decryptors

Download Emsisoft Decryptor for Jigsaw

emsisoft decryptor for jigsaw

Use following tool from Emsisoft called Decryptor for Jigsaw, that can decrypt .onion, .LoLSec, .fun or .cat files. Download it here:

Download Decryptor for Jigsaw

There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

Dr.Web Rescue Pack

Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .onion, .LoLSec, .fun or .cat files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.

If you are infected with Jigsaw Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Data Recovery Professional to restore .onion, .LoLSec, .fun or .cat files

stellar data recovery professional

  1. Download Stellar Data Recovery Professional.
  2. Click Recover Data button.
  3. Select type of files you want to restore and click Next button.
  4. Choose location where you would like to restore files from and click Scan button.
  5. Preview found files, choose ones you will restore and click Recover.
Download Stellar Data Recovery Professional

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses, like Jigsaw Ransomware , in future

1. Get special anti-ransomware software

Use ZoneAlarm Anti-Ransomware

Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.

Download ZoneAlarm Anti-Ransomware

2. Back up your files

idrive backup

As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. Jigsaw Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.

3. Do not open spam e-mails and protect your mailbox

mailwasher pro

Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.

Download MailWasher Pro
Previous articleHow to remove Tipz.io
Next articleHow to remove Weon Ransomware and decrypt .weon files