Jigsaw Ransomware

May 16, 2016     No Comments on Jigsaw Ransomware     ,      admin

Jigsaw is the latest in a spate of Ransomware that encrypts files and offers to sell the victim a decryption key to get their data back.  Adding a new twist, Jigsaw threatens to delete one file every hour if the ransom is not paid in a timely manner.

Jigsaw is capable of encrypting files that have the following extensions:

9

When run, Jigsaw starts a background process that scans for files with the extensions mentioned above and encrypts files one by one using AES 128-bit encryption in CBC mode using a hard coded key and initialization value (IV).    When file encryption completes, a “.fun” extension is appended to the file name.   Once all of files on the file system are encrypted a fake software registration pop-up is displayed.

1

This is just a fake Popup, confirmation code 994759 and 48 hours are hard-coded strings.

2

Next the user is presented with a banner asking for ransom.

13

JigSaw Work Flow

JigSaw is coded in C#.  The binary is obfuscated with a packer called ‘Confuser’ that makes reverse engineering a bit more time consuming.  The main logic for Jigsaw exists under a namespace called  “Main.Tool” that contains following four classes:

  1. Hacking
  2. Windows
  3. Locker
  4. Blocker

Let’s go through these classes one by one.

Hacking Class

The core purpose of the Hacking class is to permanently install the malware binary onto the infected machine.

This is a multi-step process:

  • Prepare a fake “Thank You” message.
  • Configure a temporary path and drop a file named “drpbx.exe”

3

  • Configure the final relative path for the JigSaw file and set that file to be run at Startup so that the encryption process continues if the system is restarted.

4

All of the above settings are read from the Jigsaw Configuration File:

5

  • Configure the “Welcome Message” that is displayed when encryption completes.

6

  •  Set the extension for encrypted files as “.fun”

7

Windows Class

The Windows class sets the Startup folder and Registry entries.  It also deletes the startup registry entry when encryption completes.

Run time DLL construction

Code also contains a namespace called  “-“  that is internally named “<Module>”. This class is responsible for constructing  a DLL from obfuscated strings. The DLL source code is de-obfuscated at runtime and loaded directly into memory.

DLL Name:QbZlczhiHcyXUZulvpHjfBbHhhxY

MD5:AB5E61DB5173272D93FB3AED031D82B1

This DLL defines what file extensions need to be encrypted and also sets up the ransom note.

8

Locker Class

The Locker Class performs the actual encryption.  As explained above Jigsaw uses AES 128-bit encryption in CBC mode with a hard coded key and initialization value (IV).

IV=00010003050300010000020006070600

KEY=3A822C030C05DB7708090A0B0C0D0E0D

AES encryption is performed by a method called encryptfile().

12

When encryption completes, a banner appears demanding a ransom of 0.4 Bitcoins (approx. $150 USD) within 24 hours or all files will be deleted.

13

Blocker Class

 The Blocker Class checks to see if bitcoin payment was made to the specified address.

Decryption Process

Once the ransom is paid and the user clicks the “I made a payment, now give me back my files” button, the blocker class calls the decryptFiles() method which creates the (AesCryptoServiceProvider) Crypto object scans all drives recursively to find files with a “.fun” extension.  Using the hardcoded Key and IV mentioned above, each file is decrypted using CreateDecryptor() method.

Leave a Reply

Your email address will not be published. Required fields are marked *