Jigsaw Ransomware spotted in the wild

The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Jigsaw (named after the fictional character) which encrypts the system files and also deletes them if the payment is not made on time.
Infection cycle:
The Trojan poses as firefox with the following properties:
The Trojan adds the following files to the filesystem:
  • %APPDATA%\Roaming\Frfx\firefox.exe (copy of original) [Detected as GAV: Jigsaw.A (Trojan)]

The Trojan creates the following key to the Windows registry to enable startup after reboot:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""%APPDATA%\Roaming\Frfx\firefox.exe""

It displays the following iconic image and the message while encrypting the files:
It starts countdown and threatens to delete the files mentioned each hour.
The trojan finds the following files on the victim's machine and encrypts them:
It copies the filenames before encrypting at the following location:
It encrypts all the victims files listed above with .fun extension.
When trying to close the ransom window, it displays the following message:
It checks for the payment contacting the C&C server:

It's time to update your security devices to avoid this kind of trojan.
Have  a good time.
(Be knowledgeable, pass it on then)

Post a Comment