Jigsaw ransomware decrypted yet again – using a simple trick

But don’t think the crypto-malware is down and out.

David Bisson
@DMBisson

Researchers have found a simple trick they can use to once again decrypt the notorious Jigsaw ransomware.

The Check Point Threat Intelligence Research team explain they made their discovery on Friday while investigating the ransomware’s user interface.

Sign up to our newsletter
Security news, advice, and tips.

“When the user presses the ‘I made a payment, now give me back my files!’ button, the program makes an HTTP GET request to:

btc.blockr[.]io/api/v1/address/balance/

and as a response, gets the following

json: {“status”:”success”,”data”:{“address”:””,”balance”:0,”balance_multisig”:0},”code”:200,”message”:””}

This got us thinking – what if we change the request, so it queries a different account? Perhaps one that holds the necessary amount of Bitcoins to decrypt our files? Or even better – what if we change the response to say we have the necessary amount?”

Curious, the researchers changed the “balance” variable from 0 to 10. To their delight, Jigsaw interpreted this change as receipt of payment and began decrypting the files!

But it gets better. The decryption trick appears to work on older variants of Jigsaw. Once complete, the process also leaves no trace of the ransomware on an infected machine.

Researchers have successfully decrypted every version of this file-deleting ransomware since its discovery back in April, including its “CryptoHitman” alter-ego. Jigsaw has made several updates in that time span, including the addition of a live chat feature. But none of those features have put a stop to the work of several knowledgeable security researchers.

Check Point has built a decryption tool that incorporates this latest trick. It is freely available for download here.

But even though he’s happy about his team’s discovery, Lotem Finkelsteen, who leads Threat Intelligence Operations at Check Point, believes we haven’t seen the last of Jigsaw:

“The fact that security companies and independent researchers have published decryption tools for it and this did not prevent Jigsaw’s developers from creating and issuing new versions of this ransomware is telling.”

With that in mind, users should continue to avoid clicking on suspicious links and email attachments, make sure their anti-virus solution is up-to-date, implement all software updates when they become available, and regularly back up their critical data.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.