JIGSAW Ransomware: Deleting Files Instead of Encrypting Them

April 28, 2016  |  Patrick Bedwell


Ransomware, which is malware that holds users’ data for ransom, keeps showing up in the news. In February, Hollywood Presbyterian was locked out of its electronic medical records (patient information is kind of important to running a hospital) until it forked over 40 bitcoins, worth then about $17K.

This time, it’s JIGSAW. Our colleagues at Trend Micro have uncovered a new type of ransomware written by someone who appears to be a fan of that creepy puppet from the horror movie ‘Saw’ . What makes JIGSAW different from most other ransomware threats is that it will delete files, instead of just encrypting them.

JIGSAW deletes files exponentially, starting 60 minutes after the program starts and deleting ‘some’ files

  • It deletes more files and increases the ransom every hour
  • If you reboot your system or close the ransom window, JIGSAW will delete 1,000 files.
  • After 72 hours it will delete all remaining files

JIGSAW ransomware deletes files rather than encrypting them
Source: Trend Micro

JIGSAW appears to have compromised systems when users downloaded files from a free storage site as well as it being bundled with other malware.

As I (and others) have said, holding systems or entire networks hostage to extort payment will likely be a popular business model among cybercriminals. It’s a lot less work and an arguably better business model than going through the effort of harvesting valuable data and selling it on the secondary market.

Impact on you

Ransomware is a growing threat: According to the new 2016 Verizon Data Breach Report, ransomware is the second-most common form of crimeware. Cybercriminals will continue to use it to extort money from victims for its ease of use and immediate return on investment.

The FBI's Internet Crime Complaint Center reported between April 2014 and June 2015 it had received almost 1,000 "ransomware" complaints, costing victims more than $18 million in losses.

How AlienVault Helps

The AlienVault Labs team continues to research and update the ability of USM to detect ransomware-related activity. Last week, the Labs team updated the USM platform’s ability to detect JIGSAW and several other families of ransomware by adding IDS signatures to detect the malicious traffic on your network and correlation directives to link events from across your network that indicate systems compromised by ransomware.

These ransomware updates are included in the latest AlienVault Threat Intelligence update available now:

Emerging Threat - Jigsaw Ransomware

Jigsaw is a new ransomware that not only encrypts your files but also starts deleting them if you take too long to pay the ransom. Currently the distribution method of this ransomware is unknown. This is not the first time a ransomware has threatened to delete files but it is one of the first times it has actually been carried out. The good news is that a method to decrypt the files for free has already been published..

We've added IDS signatures and created the following correlation rule to detect Jigsaw Ransomware:

  • System Compromise, Ransomware infection, Jigsaw

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/571617f50ebaa4015af2085c/

In addition to that, we updated some correlation rules and added new IDS signatures to improve the detection of previously known ransomware families:

  • System Compromise, Ransomware infection, Coverton
  • System Compromise, Ransomware infection, Torrentlocker
  • System Compromise, Ransomware infection, Unknown Ransomware
  • System Compromise, Ransomware infection, Virus-Encoder

For more information on a wide range of ransomware families, visit the AlienVault Open Threat Exchange (OTX) to see the research the OTX community has contributed:


Share this with others

Get price Free trial