Ransomware has undoubtedly become a very active and lucrative business for e-criminals. With little effort from their end, they obtain a significant return on that ‘investment’ from threatening the files we care about most. However, the information we keep on our devices is a lot more valuable than we think, and many users don’t realise how important it is to protect it until they lose access.
Jigsaw is a recent development in the kinds of ransomware e-criminals are deploying at the moment. For several months, there have been continuous waves of new variants of such well-known ransomware families as Cryptolocker, TorrentLocker, Locky and TeslaCrypt. But new families are also being created, and wanting their slice of the pie as well.
ESET has recently detected one of these new families of ransomware programs that we call MSIL/Filecoder.Jigsaw. It has particular features making it stand out from others.
How Jigsaw works and why it is so destructive
Interestingly, after compromising a device, rather than displaying an image informing the user that files have been encrypted, Jigsaw displays an image of the puppet Billy from the Saw movies. On this image, the user can see an explanation of the fate of their files, as if it were one of the ‘tests’ in the well-known horror series. Of course, there are necessary instructions for paying the ransom with the cryptocurrency Bitcoin.
This is where Jigsaw has a nasty new trick up its sleeve. Presumably in the hope of further encouraging the victim to pay, and to do so promptly, every hour some of the encrypted files are deleted. Suddenly, time is of the essence if the victim wants any chance of recovering their files. What’s worse, if the victim tries to stop the process or restarts the system, the Jigsaw ransomware deletes 1,000 files. Thus, it limits the actions that the victim can take to try to recover their data without paying the ransom.
However, there’s a weakness. ESET thinks this ransomware is less professional than most as it does not give full details of how to pay the ransom in bitcoins, merely providing a link for obtaining the cryptocurrency. Luckily, for Jigsaw’s victims, a tool and instructions for restoring encrypted files are available.
Despite continuing evolution, simple protective measures remain effective
Jigsaw is only one example of the numerous tests that the creators of malware perform in trying to improve their ROI. In this case, it is causing even more stress for victims because the methods used are so threatening and aggressive.
Endpoint security products are constantly adding new strategies to combat ransomware, and these are more sophisticated and reliable than ever. But ransomware is also developing, with recent forays into other systems like Android, Linux and OS X, and even the Internet of Things.
There are some simple but essential steps to follow to ensure maximum protection from the disruption of, and even to avoid, a ransomware attack:
- Regularly back up your files to offline storage media so you can easily recover in case of an attack
- Show hidden file extensions to avoid being tricked by fake extensions such as ‘.PDF.EXE’
- Install a strong security solution capable of detecting and blocking new ransomware variants as they appear
- Patch or update your software as malware attacks often depend on vulnerabilities in outdated software
- Implement company security policies to prevent infected equipment from affecting shared resources on the company network
- Disconnect from Wi-Fi or unplug from the network immediately if you suspect an attack to minimise damage
Nick FitzGerald is senior research fellow at ESET.