Ransomware: "I'm not a Jigsaw variant!"


Since we have first reported seeing Jigsaw Ransomware back in 2016, we have seen several spinoffs of this ransomware. And because its source code can easily be downloaded from the world wide web we have reported variants we’ve seen like the Zapre ransomware here and  was even possibly used here to teach ethical hacking.

This week the Sonicwall Capture Labs Research team has seen yet another Jigsaw ransomware variant but who’s writer shamelessly denying its just another variant. In its ransom note it addresses security researchers and says  “My dear researchers, I’m not a Jigsaw variant!!!!”

Infection Cycle:

This ransomware arrives as a seemingly harmless setup file using the following icon and file properties.

Once executed it creates the following directories using  the number “0” to name Micr0soft and Wind0ws folders and drops a copy of itself:

  • %APPDATA%\Local\MICR0SOFT\dllhost.exe
  • %APPDATA%\Roaming\WIND0WS\svchost.exe

It then encrypts all files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sdf, .sql.dwg, .dxf.c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js.aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as.txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm.wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .mkv.dat, .csv, .efx, .sdf, .vcf, .xml, .ses.rar, .zip, .zipx, .7zip

It creates a list of all encrypted files into a txt file and saves it into the following directory:

  • %APPDATA%\Roaming\MICR0SOFT_FILES\EncryptedFileList.txt

It appends “.pennywise” extension to all encrypted files.

Upon successful encryption it launches this ransom note window.

The ransom note just tells the victim that their files are now encrypted and that files will then be deleted after non-compliance but did not provide any clear instructions on how victims can get their files back. And after reminding security researchers that this is not another Jigsaw ransomware variant, it then starts a  countdown before it deletes one file after every hour.

However, further analysis revealed that the decryption key was easily found in its strings – “PsTqQNhR77oKJXvBWE3YZc”.

Copying this key into the decryption key box will start decrypting all the files. It also deletes all copies of itself and thus cleaning up the infected machine.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Capture Labs provides protection against this threat via the following signature:

  • GAV: Jigsaw.RSM_26 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.