File-deleting Jigsaw ransomware cracked

Researchers have been quick to defeat the recently discovered Jigsaw ransomware, which will aggressively delete encrypted user files on Windows computers until payment is received from its victims.

The new decryptor comes from the same team that cracked the Petya ransomware this week - computer forensics specialist Lawrence Abrams and collaborators at the Bleeping Computer website, Michael Gillespie, as well as the Malwarehunterteam.

Jigsaw targets a large number of file types and scrambles them with the Advanced Encryption Standard (AES) Rijndael algorithm. 

The malware is very destructive and will start spreading its damage each time users log in to Windows.

Users are asked to pay ransom of US$20 to US$200 (A$26 to A$260), or 0.4 Bitcoin (A$222) depending on which variant of Jigsaw they've been attacked with. Five variants of Jigsaw have been detected by Abrams so far.

If no payment is received to a Bitcoin address within 60 minutes of Jigsaw starting up, the ransomware will delete one or more of the victim's files. The deletion of files is repeated every 60 minutes, until users give into the blackmail and pay up.

To stop files from being deleted, users are advised to terminate the two processes Jigsaw runs on Windows using Task Manager: firefox.exe and drpbx.exe.

Once the two processes have stopped, it is crucial to run the msconfig utility in Windows and remove the firefox.exe startup entry, otherwise the ransomware can restart and delete another thousand files.

After Jigsaw has been terminated, victims can run the program developed by Gillespie to decrypt their files and hard drives.

At the time of writing, it is not clear how Jigsaw spreads or who is behind the blackmailing malware.