Following last week’s discovery of the JIGSAW ransomware, Forcepoint Security Labs encountered the malware in the field and reverse engineered its script. It turns out that what makes JIGSAW unique is its fear-based extortion of victims—and it falls down on the job when it comes to the fidelity of the script.
Also known as BitcoinBlackmailer.exe, the malware was apparently built by an author on March 23 and first seen in the wild a week later. The malicious program starts encrypting files while adding, with no irony, the '.FUN' file extension. It also threatens to start deleting files if the ransom is not paid within an allotted time, complete with countdown timer. To add to the distress of the victim, the ransomware displays the face of the character Billy the Puppet from the horror movie series Saw.
“One could hardly expect the authors of such software, who clearly know they are extortionists, to be under no illusion that what they are doing is both legally and morally wrong,” Forcepoint researchers said in a short overview. “Indeed, from the victim's point of view, being hit by ransomware is an unpleasant experience. But using horror movie images and references to cause distress in the victim is a new low.”
They added, “Fortunately, the depths the author has gone to, with real-time scrolling text, countdown timer, increasing ransom amount and the horror associations, plays on the mind of those who may have seen the movie or even those who are vulnerable or of a nervous disposition.”
That said, the authors’ coding standards are not up to snuff, making it fairly easy to piece the puzzle together in JIGSAW, so to speak. While those responsible tried to obfuscate their .NET code to prevent analysis, Forcepoint was still able to copy of all the malware source code.
Written in .NET, the malware can be reverse engineered without any great difficulty. This helps us greatly. So much so that Forcepoint was able to retrieve the encryption key used by the malware to encrypt the files.
The reverse engineering has also highlighted not only the use of a hard-coded encryption key, but also 100 Bitcoin addresses used for payment of the ransom—all of which Forcepoint said it shared with its partners.
Photo © Photology1971