Beware of the Saw

Sometimes, for good or ill, life can imitate art. Take, for example, the gory “Saw” movie franchise starring “Jigsaw.” It is, of course, a stretch to consider these horror films “art.” But the developers of the new Jigsaw Ransomware apparently adopted the character’s name and modus operandi because the malware gradually “dismembers” victims’ files until they pay the ransom.

Scary? You bet!

Like other ransomware, Jigsaw is most commonly spread through phishing. The attack typically is launched when an unsuspecting user clicks on an attachment or link in an unsolicited phishing email. Jigsaw then immediately proceeds to move through the device, rapidly encrypting files and data. Victims receive a ransom note stating that their data has been encrypted and the only way to obtain the decryption key is to pay a ransom—averaging $150 USD—usually in bitcoin.

Jigsaw Ransomware

These days, the name of the crypto-ransomware game is to add unique features or creative ways to instill fear and apply more pressure to pay. Jigsaw joins notable ransomware families such as Petya and Cerber that have emerged in the past couple of months alone.

But, unlike other similar malware, Jigsaw adds a new and diabolical twist. It toys with users by deleting encrypted files incrementally, instilling fear and pressuring them into paying the ransom. Its onscreen blackmail message even comes with an image of Jigsaw’s very own Billy the Puppet.

For every hour the victim doesn’t pay, Jigsaw permanently deletes some files. The number of files continues to increase exponentially—10 files after day one, 100 files after day two, 1,000 files after day three, etc.

The ransom note also states that if users forcibly reboot their computers, 1,000 files will be deleted as a “punishment” and no duplicate copies will be made. When a victim restarts the computer, another threat is given. And in 72 hours, if the user fails to pay, all encrypted files will be deleted.

This is Jigsaw “speaking:”

“Your computer files have been encrypted. Your photos, videos, documents, etc…. But, don’t worry! I have not deleted them, yet. You have 24 hours to pay $150 USD in Bitcoins to get the decryption key. Every hour files will be deleted. Increasing in amount every time. After 72 hours all that are left will be deleted…. Within two minutes of receiving your payment your computer will receive the decryption key and return to normal….”

Until recently, the most common way to deal with ransomware was to recover files from backups. Most organizations don’t know it, but in many cases, that is no longer a viable option. Newer ransomware variants not only encrypt victims’ data, they take it and threaten to sell it—or just release it—on “the dark web” if payment is not made.

The most effective approach is to employ preventative measures that block ransomware in the first place. Fortunately, there are several ways to do this. The best course of action is to protect networks with multiple layers of security and segmenting systems to isolate an attack so it can’t spread.

The best way to defend against ransomware—by far—is to employ a firewall that scans encrypted traffic from the Internet. According to a number of studies, 60% of traffic flowing in and out of an organization’s network is encrypted. That means 60% of all the internet traffic is not being inspected by a firewall. Cyber criminals know this. That’s why they are hiding their malicious codes in https sites.

It’s scary out there. But with the right partner, you can ensure that all appropriate measures are being taken to protect your systems, network, users, and data.

{company} is the trusted choice for staying ahead of the curve when it comes to information technology tips, tricks, and news. For more information, contact us at {phone} or send us an email at {email}.