Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Jigsaw

97
Global rank
38 infographic chevron month
Month rank
61 infographic chevron week
Week rank
0
IOCs

The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.

Ransomware
Type
Unknown
Origin
1 March, 2016
First seen
20 January, 2025
Last seen

How to analyze Jigsaw with ANY.RUN

Type
Unknown
Origin
1 March, 2016
First seen
20 January, 2025
Last seen

IOCs

IP addresses
45.144.225.16
83.244.163.204
193.117.208.146
Domains
angryip.net
angryips.com
angryipsc.org
angryipscanner.org
datadoghd.com
rancner.com
roborware.net
nexcioud.com
sf3q2wrq34.ddns.net
demourl.co.nf
service-updater.hopto.org
totes.bluetoes.org
blablaez.duckdns.org
Last Seen at

Recent blog posts

post image
Malware Trends Overview Report: 2024
watchers 4996
comments 0
post image
YARA Rules: Cyber Threat Detection Tool for M...
watchers 704
comments 0
post image
Threat Intelligence Pivoting: Actionable Insi...
watchers 573
comments 0

What is Jigsaw Malware?

Jigsaw ransomware, initially detected in 2016, is a form of malware designed to encrypt files on a victim's system and extort a ransom payment in Bitcoin to restore access.

The creators of Jigsaw incorporate themes and visuals from the horror movie Saw, utilizing threatening messages inspired by the film to pressure victims into complying with the ransom demands.

If the victim does not pay the ransom, Jigsaw begins deleting files from the infected system, increasing the urgency for victims to act. This approach not only encrypts valuable data but also introduces a time-sensitive element that can cause significant distress and data loss.

The original malware is no longer active, as researchers were able to quickly develop decryption tools. However, Jigsaw's source code is openly available, allowing different threat actors to modify and adapt the malware for various purposes, including data theft.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Jigsaw Malware Technical Details

Jigsaw has a range of capabilities which vary across different variants.

  • The original Jigsaw used the AES encryption algorithm to lock files, making them inaccessible without the decryption key.
  • The malware employed over 80 different file extensions for encrypted files, including the .FUN, complicating the identification and recovery process.
  • It displayed ransom notes with instructions for payment, typically demanding Bitcoin in exchange for decryption.
  • Jigsaw verified ransom payments by querying a Bitcoin wallet address via HTTP requests. Upon detecting the required funds, it initiates the decryption process.
  • Despite the development of decryption tools by researchers, Jigsaw continues to evolve, with new variants emerging that incorporate additional malicious functionalities.

    Jigsaw Execution Process

    To analyze any sample of Jigsaw, you can upload it to ANY.RUN’s Interactive Sandbox, a safe cloud environment for examining malicious URLs and files. Check out this analysis of a Jigsaw sample

Jigsaw results inside ANY.RUN's TI Lookup Analysis of Jigsaw inside ANY.RUN's Interactive Sandbox threat context

The execution process of Jigsaw ransomware involves several critical steps to ensure the encryption of files and the extortion of victims. Upon infecting a system, the malware begins by encrypting the files and displaying a ransom note with payment instructions. The ransom note typically includes a countdown timer, indicating the time remaining before files start being deleted.

Jigsaw results inside ANY.RUN's TI Lookup Process graph showing the execution of a Jigsaw sample

To verify that the ransom has been paid, Jigsaw queries a Bitcoin wallet address via HTTP requests. If the malware detects that the required funds have been deposited, it triggers the decryption process, restoring access to the encrypted files.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Jigsaw Distribution Methods

The distribution methods for Jigsaw ransomware have evolved significantly since its inception. Initially, the malware was spread through fake software executables that mimicked legitimate programs. These executables were designed to trick users into downloading and running the malicious files, leading to infection.

However, newer variants of Jigsaw utilize a broader range of distribution channels. Some of the most common methods include:

  • Phishing Emails: Threat actors send phishing emails with malicious attachments or links that, when opened, download and execute the Jigsaw ransomware.
  • File-Sharing Platforms: Malicious files are hosted on file-sharing platforms, where unsuspecting users may download them, leading to infection.
  • Compromised Websites: Jigsaw may be bundled with other malware as a downloader from compromised websites. Visitors to these sites may unknowingly download and install the ransomware.

Each threat actor may utilize their own channel of distribution, making it challenging to predict and defend against the spread of Jigsaw ransomware.

Collect Threat Intelligence on Jigsaw Ransomware

To gather information about Jigsaw ransomware and collect relevant intelligence, utilize Threat Intelligence Lookup.

This service provides access to a comprehensive database containing insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 search parameters, users can find specific data related to threats, including IP addresses, domains, file names, and process artifacts.

Jigsaw results inside ANY.RUN's TI Lookup TI Lookup helps you enrich your investigations with additional threat context

For example, you can search for Jigsaw by its name or related artifacts. A query like threatName:"Jigsaw" will retrieve all associated samples and sandbox results relevant to this ransomware. This tool is invaluable for staying informed about the latest variants and indicators of Jigsaw, helping security professionals to better understand and mitigate the threat.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Although the Jigsaw ransomware no longer presents a significant threat in the cybersecurity landscape, as it did in 2016, access to its source code makes it a potential security risk to organizations. To prevent possible infections with Jigsaw, it is important to implement comprehensive security measures, including proactive sandbox analysis.

Use ANY.RUN’s Interactive Sandbox to quickly examine suspicious files and URLs to identify threats early and address them before they have a chance to compromise your infrastructure.

Sign up for a free ANY.RUN account to access unlimited analysis!

HAVE A LOOK AT

DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More