Anonymous Jigsaw Ransomware Variant Discovered

[Petrovic]

A new variant of the Jigsaw Ransomware has been discovered by Michael Gillespie that uses a new Anonymous themed background for the ransom note. Though there has been a previous variant of Jigsaw that included a Guy Fawkes mask, this new one implies that Anonymous is involved with the ransomware.  The ransom screen's background now states "We are Anonymous. We Are Legion. We do not forget. We do not forgive. Expect us.". The good news is that Jigsaw continues to be easily decrypted and Michael's Jigsaw Decryptor has been updated to decrypt this variant.

 

We are Anonymous Background

This variant of Jigsaw will encrypt your data using AES encryption and then demand $250 USD in bitcoins to get your files back. When first started, the ransomware will install itself to %UserProfile%AppData\Local\MS\app_roaming.exe, create an autorun called Microsoft Defender,  and pretends to be the Microsoft Defender program. It will then display an alert stating that a scan has been initiated.

Fake Scan Alert

In the background, the ransomware will now start to encrypt the data on the local drives and will append the .xyz extension to encrypted files. That means a file that was named test.jpg will be encrypted as test.jpg.xyz.  When it has finished, it will display the Anonymous Jigsaw ransom screen.  Below is the ransom screen with all the text displayed.

 

Anonymous Jigsaw Ransomware Screen

As already stated, a decryptor for Jigsaw is available that a victim can use to get their files back for free. All victims should terminate the app_roaming.exe process via task manager so it does not delete any files and then use the decryptor.

 

Files associated with the Anonymous Jigsaw Ransomware Variant:

%UserProfile%AppData\Local\MS\app_roaming.exe

Registry entries associated with the Anonymous Jigsaw Ransomware Variant:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Defender.exe	%UserProfile%AppData\Roaming\MS\Defender.exe

Article source