SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Jigsaw Ransomware spotted in the wild (April 22, 2016)



Description


The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Jigsaw (named after the fictional character) which encrypts the system files and also deletes them if the payment is not made on time.

Infection cycle:

The Trojan poses as firefox with the following properties:

The Trojan adds the following files to the filesystem:

  • %APPDATA%\Roaming\Frfx\firefox.exe (copy of original) [Detected as GAV: Jigsaw.A (Trojan)]


The Trojan creates the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""%APPDATA%\Roaming\Frfx\firefox.exe""

It displays the following iconic image and the message while encrypting the files:

It starts countdown and threatens to delete the files mentioned each hour.

The trojan finds the following files on the victim's machine and encrypts them:

It copies the filenames before encrypting at the following location:

It encrypts all the victims files listed above with .fun extension.

When trying to close the ransom window, it displays the following message:

It checks for the payment contacting the C&C server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Jigsaw.A (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2019 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 14.7 | S2MSW03