Jigsaw is the latest in a spate of Ransomware that encrypts files and offers to sell the victim a decryption key to get their data back. Adding a new twist, Jigsaw threatens to delete one file every hour if the ransom is not paid in a timely manner.
Jigsaw is capable of encrypting files that have the following extensions:
When run, Jigsaw starts a background process that scans for files with the extensions mentioned above and encrypts files one by one using AES 128-bit encryption in CBC mode using a hard coded key and initialization value (IV). When file encryption completes, a “.fun” extension is appended to the file name. Once all of files on the file system are encrypted a fake software registration pop-up is displayed.
This is just a fake Popup, confirmation code 994759 and 48 hours are hard-coded strings.
Next the user is presented with a banner asking for ransom.
JigSaw Work Flow
JigSaw is coded in C#. The binary is obfuscated with a packer called ‘Confuser’ that makes reverse engineering a bit more time consuming. The main logic for Jigsaw exists under a namespace called “Main.Tool” that contains following four classes:
Let’s go through these classes one by one.
The core purpose of the Hacking class is to permanently install the malware binary onto the infected machine.
This is a multi-step process:
- Prepare a fake “Thank You” message.
- Configure a temporary path and drop a file named “drpbx.exe”
- Configure the final relative path for the JigSaw file and set that file to be run at Startup so that the encryption process continues if the system is restarted.
All of the above settings are read from the Jigsaw Configuration File:
- Configure the “Welcome Message” that is displayed when encryption completes.
- Set the extension for encrypted files as “.fun”
The Windows class sets the Startup folder and Registry entries. It also deletes the startup registry entry when encryption completes.
Run time DLL construction
Code also contains a namespace called “-“ that is internally named “<Module>”. This class is responsible for constructing a DLL from obfuscated strings. The DLL source code is de-obfuscated at runtime and loaded directly into memory.
This DLL defines what file extensions need to be encrypted and also sets up the ransom note.
The Locker Class performs the actual encryption. As explained above Jigsaw uses AES 128-bit encryption in CBC mode with a hard coded key and initialization value (IV).
AES encryption is performed by a method called encryptfile().
When encryption completes, a banner appears demanding a ransom of 0.4 Bitcoins (approx. $150 USD) within 24 hours or all files will be deleted.
The Blocker Class checks to see if bitcoin payment was made to the specified address.
Once the ransom is paid and the user clicks the “I made a payment, now give me back my files” button, the blocker class calls the decryptFiles() method which creates the (AesCryptoServiceProvider) Crypto object scans all drives recursively to find files with a “.fun” extension. Using the hardcoded Key and IV mentioned above, each file is decrypted using CreateDecryptor() method.