Jigsaw ransomware uses live chat to relay payment instructions

Got a question? Ask a ransomware author!

David bisson
David Bisson

Jigsaw ransomware uses live chat to relay payment instructions

Some new variants of Jigsaw ransomware are now relaying payment instructions to their victims via a live chat feature.

Back in mid-April, researchers first came across Jigsaw. Variants of this ransomware family target 240 different file extensions, encrypt all relevant files with AES encryption, and append a .FUN, .KKK, .GWS, or .BTC extension to them.

Jigsaw demands $150 in exchange for the ransom key.

Sign up to our free newsletter.
Security news, advice, and tips.

But this crypto-ransomware is not a passive captor of affected users’ files.

The malware displays two things to a user once it has successfully infected a machine: a ransom message and a countdown timer starting at 60:00.

Jigsaw ransom note

Every time the timer reaches 0:00, Jigsaw will delete an increasingly greater number of a victim’s encrypted files.

The ransomware will also penalize a victim for bad behavior, such as turning off the computer, by automatically deleting 1,000 files.

It will then remove all remaining files if the user has failed to pay within three days of having become infected.

Fortunately, researchers were able to develop a free decryption tool for users affected by Jigsaw. The ransomware authors tried to circumvent that utility by rebranding Jigsaw as CryptoHitman, adding a new lockscreen, and appending .PORNO to all encrypted files. But they didn’t fool researchers. They simply updated their decryptor.

Hitman ransomware locker blurred 768x455

Notwithstanding all of their bad luck so far, it would appear the ransomware authors are still committed to updating Jigsaw.

Researchers at Trend Micro recently observed some variants of the crypto-malware sporting something new: a new lockscreen with a link to a live chat feature through which the ransomware authors can communicate their payment demands to victims in real-time.



After taking a closer look, the researchers determined that Jigsaw is not using its own chat client. Instead it is using onWebChat, a publicly available chat feature.

Trend Micro has reached out to onWebChat about the ransomware authors using its software.

The researchers also took some time to wonder at the decision to incorporate a live chat feature into the latest Jigsaw variants:

“There are some perverse incentives at work for cybercriminals to decide to focus on their ‘customers’ (i.e., victims) in this way. Whatever those incentives may be, the victims of this crime now have an immediate, human voice to go to when their files are encrypted. This may predispose them to pay up if they are victimized – something we do not encourage.”

Don’t let ransomware authors sweet-talk you into fulfilling their demands. Instead make sure you have backed up your data so that you can restore your files without paying the ransom.

To prevent a ransomware infection, make sure you avoid clicking on suspicious links and email attachments, maintain an up-to-date anti-virus solution on your computer, and implement software updates as soon as they become available.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.