Jigsaw targets Windows OS and, currently, the method of distribution is unknown. Once an infection occurs, Jigsaw scans victims’ drives for specific file extensions and encrypts them using AES. Files encrypted by Jigsaw display the following extensions: .fun, .kkk, .gws, .btc, .payms, .epic, and .xyz. A list of encrypted files is located on the infected system in the following location: %UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt. This variant is unique in that it not only threatens to start deleting files if the victim does not pay, but it actually carries out that threat, deleting one file every 60 minutes and deleting 1,000 files when the infected system is rebooted. Some versions of Jigsaw have been found to execute after specific dates. Ransom prices vary from $20 to $200 worth of Bitcoin, but one version has been seen demanding $5000 USD worth of Bitcoin. A later version of Jigsaw was rebranded as CryptoHitman and adds the extension .porno or .pornoransom to all encrypted files. Both versions can be decrypted but it is important to first to terminate the suerdf.exe and hogfh.exe processes in Task Manager to prevent file deletion. Then, disable startup entries for those executables prior to running the decryption tool to prevent recurring instances. The latest rebranding is called Invisible Empire and adds the extension .payransom to encrypted files. In addition, Jigsaw developers have added a “live chat” feature allowing the attacker to provide instructions and further pressure the victim into paying the ransom.

UPDATE 7/29/2016: A new version of Jigsaw features an Anonymous-themed ransom note, appends .xyz to encrypted files, and demands $250 USD worth of Bitcoin. The free decryption tool listed below has been updated to decrypt this version.

UPDATE 1/19/2018: A new variant of Jigsaw, dubbed Mada Ransomware, appends .LOCKED_BY_pablukl0cker to the names of encrypted files.

Extensions appended to encrypted file names:
.xyz,  .kkk, .gws, .btc, .payms, .epic, .versiegelt, .encrypted, .payrmts, .locked, .Locked, .hush, .paytounlock, .uk-dealer@sigaint.org, .gefickt, .jey, .nemo-hacks.at.sigaint.org, .I'WANT MONEY, .fun, .crypte, .lckd, .getrekt, .Contact_TarineOZA@Gmail.com, .PAY, .die, R3K7M9, .lost, .ram, .tax, .Ghost, .sux, .rat, .kill, .korea, .pablukCRYPT, .pabluk300CrYpT!, .#, .CryptWalker, .LOCKED_BY_pablukl0cker, .#, .contact-me-here-for-the-key-admin[@]adsoleware[.]com, .Bitconnect, .LolSec, .booknish, .black007, .dat, .fun

  • Bleeping Computer has more information about Jigsaw here, CryptoHitman here, and Invisible Empire here.
  • A decryption tool for Jigsaw, CryptoHitman, and Invisible Empire is available for download here. Instructions on how to use the tool and decrypt files are available on the Bleeping Computer website.