Malware News Jigsaw ransomware 2.0: A fake or work in progress?

Jrs30

Jrs30

Level 11
Thread author
Verified
Honorary Member
Top Poster
Well-known
Feb 4, 2016
549
Content source
http://www.welivesecurity.com/2016/05/18/jigsaw-ransomware-2-0-a-fake-or-work-in-progress/
Just recently we reported on various ransomware types that failed in their malicious intentions. Some were cracked by security experts due to poor implementation, while others flopped because the decryption key had been ‘left’ on the victims’ machine, allowing decryption of files without paying the ransom.

But the threat seen by ESET researchers over the few last days falls into an entirely different category. As the detection name suggests, MSIL/Hoax.FakeFilecoder.A – dubbed also Jigsaw 2.0 – is not a fully-fledged ransomware, but it does try to feed off of ransomware’s current popularity amongst cybercriminals.

“So why is it labeled as hoax?” you might ask. Well, it lacks the main functionality of extortion malware – it can’t encrypt victims’ files, nor can it block access to the device. Mimicking recent failsomware Jigsaw (free decryptor available online), MSIL/Hoax.FakeFilecoder.A uses the graphics from the movie Saw, threatening to delete users’ files. As ESET analysis has proven, these claims are false as well.

Nevertheless, the threat posed by ransomware should not be underestimated as the number of its detections are on the rise. Even Jigsaw 2.0 has the potential to become dangerous and effective in the near future, if malware writers have more time to fiddle with it.

Fake-Jigsaw-Screen.png
 
  • Like
Reactions: Deleted member 2913, harlan4096, Der.Reisende and 7 others
BoraMurdar

BoraMurdar

Super Moderator
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
it's not fake :cool:, at least not this variant
Jigsaw ransomware takes a .PORNO twist and a new name
The developers of Jigsaw ransomware have renamed their malicious creation, given it a new file extension, and outfitted it with a new lock screen.
Jigsaw rebranded with the name "CryptoHitman," now appends the extension .PORNO to every file it encrypts.
This is not by coincide. The ransomware's new lock screen not only incorporates an image of Agent 47, the main protagonist in the Hitman video game series, but it also displays a series of pornographic images on the victim's computer.

hitman-ransomware-locker-blurred.jpg

A blurred out image of CryptoHitman's lock screen. Source: BleepingComputer

CryptoHitman also asks that victims send their ransom payment to "cryptohitman@yandex.com."
Other than those modest alterations, however, CryptoHitman is an exact copy of Jigsaw ransomware. As explained by Lawrence Abrams of Bleeping Computer:
"The only major differences is the new pornographic locker screen, the use of the Hitman character, the new .porno extension that is added to all encrypted files, and new filenames for the ransomware executables. Otherwise, this ransomware performs the same as the original Jigsaw Ransomware."
That means CryptoHitman still deletes hundreds if not thousands of a victim's filesfor every reboot of the computer and for every hour the victim does not pay the USD$150 ransom fee.

ransom-demand.jpeg


That's the bad news. The good news is that Michael Gillespie, a security researcher and member of MalwareHunterTeam, has updated the the Jigsaw ransomware decryptor so that it now decrypts files affected by CryptoHitman.
To use the decryptor, you need to first terminate "%LocalAppData%\Suerdf\suerdf.exe" and "%AppData%\Mogfh\mogfh.exe" in TaskManager and then use MSConfig to disable the startup entry related to those processes. Doing so will terminate the ransomware and prevent it from deleting any more of your files.
Once that's done, download Gillespie's decryption utility here and select the directory you would like the tool to decrypt or decrypt your entire hard drive if you prefer. The utility will then decrypt all of your selected files.
Your files will be restored to their decrypted state, but that doesn't mean they're necessarily free of infection. With that in mind, make sure you an anti-virus solution on your computer and use it to scan your files for your infections.

You just removed CryptoHitman from your computer; you don't want any other uninvited malicious software hanging around for the after-party.
As for ordinary users who haven't been infected by CryptoHitman, watch out for suspicious links, keep yourself patched and securely back up your data just in case.
Click to expand...
 
  • Like
Reactions: Der.Reisende, frogboy, Jrs30 and 3 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Malware News Surge in Magniber ransomware attacks impact home users worldwide
Replies
2
Views
2,501
Security News
Jonny Quest
Jonny Quest
Gandalf_The_Grey
    • Like
    • Applause
Malware News Dutch police crack DoNex ransomware, develop decryption tool
Replies
1
Views
2,900
Security News
Studynxx
S
Gandalf_The_Grey
    • +Reputation
    • Like
Free Key Group ransomware decryptor helps victims recover data
Replies
0
Views
1,171
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top