View All R&D Articles

Jigsaw Ransomware Infection And Decryption Services

September 8, 2016

Jigsaw is a new and pernicious type of ransomware that encrypts your files and then deletes them by the thousands if you don’t pay the ransom. Named after a horror movie villain, it presents a nightmarish ransom message, but the ransomware can be defeated by a qualified data recovery service.

If you believe that Jigsaw ransomware has infected your machine, immediately open Windows Task Manager and end the processes for the files firefox.exe and drpbx.exe. These executables aren’t legitimate programs, and disabling them will temporarily stop Jigsaw from operating in the background.

After taking this step, you should call Datarecovery.com at 1-800-237-4200. Our ransomware experts can help you permanently remove the ransomware and restore your files without risking your personal information, and as a leader in the field, we offer a streamlined process for recovery. Call now or read on for more information about Jigsaw ransomware decryption.

What is Jigsaw Ransomware (And How Does It Work)?

Jigsaw ransomware gets its name from the villain of the Saw movies, primarily because it uses a picture from the movie in its ransom note. The note also includes a timer that counts down; if the timer reaches zero, the first of the infected files will be deleted. Despite its theatrical approach, Jigsaw ransomware isn’t particularly well built, but victims should exercise extreme caution when dealing with the infection.

Jigsaw ransom message with Saw character

Jigsaw ransomware threatens to delete more files as the victim waits to pay the ransom. Rebooting the computer causes the program to restart, which prompts the malware to delete a large batch of files at once. As such, we strongly recommend seeking professional assistance if the infected computer contains important files.

Jigsaw ransomware has the following attributes:

  • It encrypts an infected computer’s files, then begins permanently deleting them until the ransom is paid.
  • If the computer is rebooted, the malware will restart and then delete one thousand files at once.
  • It requests a relatively low ransom, but pressures the victim by threatening to delete files as time passes. Different distributions of the Jigsaw ransomware carry different ransoms. We’ve seen initial ransoms of $20 USD and $200 USD.
  • It is relatively easy to remove, but mishandling the process can lead to permanently lost files.

How Does Jigsaw Ransomware Infect My System?

Jigsaw can be unintentionally downloaded from a cloud storage site called 1fichier.com. Trend Micro believes that the malware is also bundled with some cryptomining software. However, the infection may occur through other means; for instance, the makers of Jigsaw might bundle it with pirated software. In any case, it’s a nasty infection, and users are often terrified by the initial message.

Jigsaw affects the following file types:

.1pa, .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .cal, .cdr, .cdt, .cdx, .cgn, .class, .clk, .cmx, .cnt, .cpp, .cpt, .cpx, .cs, .csl, .csv, .cur, .dat, .db, .dbf, .des, .des, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .drw, .ds4, .dsf, .dwg, .dwg, .dxf, .efx, .eps, .eps, .fim, .fla, .flv, .fmv, .fpx, .fx0, .fx1, .fxr, .gem, .gif, .h, .idml, .iff, .iif, .img, .indb, .indd, .indl, .indt, .ini, .inx, .jar, .java, .jpeg, .jpg, .js, .lgb, .m3u, .m3u8, .m4u, .mac, .max, .mdb, .met, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .mx0, .nap, .nd, .pat, .pcd, .pct, .pcx, .pdb, .pdf, .pfb, .php, .pic, .plb, .plt, .pmd, .png, .pot, .potm, .potx, .pp4, .pp5, .ppam, .ppf, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prn, .prproj, .ps, .psd, .psp, .ptb, .py, .qba, .qbb, .qbi, .qbm, .qbo, .qbp, .qbr, .qbw, .qbx, .qby, .qpd, .qsm, .qss, .qst, .qwc, .ra, .rar, .raw, .rb, .rif, .rtf, .rtp, .sct, .sdf, .ses, .set, .shw, .sldm, .sldx, .sql, .svg, .svg, .swf, .tga, .tif, .tiff, .tlg, .ttf, .txt, .v30, .vcf, .vob, .vsd, .vsd, .wav, .wav, .wi, .wk3, .wk4, .wma, .wmf, .wmv, .wpd, .wpd, .wpg, .wps, .xcf, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xpm, .xqx, .zip

This is not a comprehensive list, and new variants of Jigsaw could target additional types of files.

The Jigsaw Ransom Message

The standard Jigsaw ransom message is:

Your computer files have been encrypted. Your photos, videos, documents, etc….

But, don’t worry[sic]! I have not deleted them, yet. You have 24 hours to pay 150 USD in Bitcoins to get the decryption key. Every hour files will be deleted. Increasing in amount every time.

After 72 hours all that are left will be deleted. If you do not have bitcoins Google the website localbitcoins. Purchase XXX American Dollars worth of Bitcoins or X BTC. The system will accept either one. Send to the Bitcoins address specified.

Within two minutes of receiving your payment your computer will receive the decryption key and return to normal. Try anything funny and the computer has several safety measures to delete your files. As soon as the payment is received the crypted files will be returned to normal. Thank you

Can I Disable Jigsaw Ransomware Encryption?

Jigsaw can be disabled, but you need to follow the proper procedure to avoid accidental file deletions. We recommend seeking professional assistance. Datarecovery.com’s ransomware experts can fully decrypt your media and restore damaged files, preventing data loss as a result of the Jigsaw ransomware.

Before you do anything, stop the firefox.exe and drpbx.exe processes in Windows Task Manager. As soon as possible, contact our offices to speak with a malware expert. Datarecovery.com can help you determine the best way to restore your files and provide a secure process that doesn’t put any personal information at risk. Call 1-800-237-4200 to get started.