Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Jigsaw

99
Global rank
74 infographic chevron month
Month rank
66 infographic chevron week
Week rank
0
IOCs

The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.

Ransomware
Type
Unknown
Origin
1 March, 2016
First seen
9 February, 2025
Last seen

How to analyze Jigsaw with ANY.RUN

Type
Unknown
Origin
1 March, 2016
First seen
9 February, 2025
Last seen

IOCs

IP addresses
45.144.225.16
83.244.163.204
Domains
rancner.com
angryipscanner.org
angryipsc.org
angryips.com
datadoghd.com
angryip.net
nexcioud.com
roborware.net
sf3q2wrq34.ddns.net
demourl.co.nf
service-updater.hopto.org
totes.bluetoes.org
blablaez.duckdns.org
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

What is Jigsaw Malware?

Jigsaw ransomware, initially detected in 2016, is a form of malware designed to encrypt files on a victim's system and extort a ransom payment in Bitcoin to restore access.

The creators of Jigsaw incorporate themes and visuals from the horror movie Saw, utilizing threatening messages inspired by the film to pressure victims into complying with the ransom demands.

If the victim does not pay the ransom, Jigsaw begins deleting files from the infected system, increasing the urgency for victims to act. This approach not only encrypts valuable data but also introduces a time-sensitive element that can cause significant distress and data loss.

The original malware is no longer active, as researchers were able to quickly develop decryption tools. However, Jigsaw's source code is openly available, allowing different threat actors to modify and adapt the malware for various purposes, including data theft.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Jigsaw Malware Technical Details

Jigsaw has a range of capabilities which vary across different variants.

  • The original Jigsaw used the AES encryption algorithm to lock files, making them inaccessible without the decryption key.
  • The malware employed over 80 different file extensions for encrypted files, including the .FUN, complicating the identification and recovery process.
  • It displayed ransom notes with instructions for payment, typically demanding Bitcoin in exchange for decryption.
  • Jigsaw verified ransom payments by querying a Bitcoin wallet address via HTTP requests. Upon detecting the required funds, it initiates the decryption process.
  • Despite the development of decryption tools by researchers, Jigsaw continues to evolve, with new variants emerging that incorporate additional malicious functionalities.

    Jigsaw Execution Process

    To analyze any sample of Jigsaw, you can upload it to ANY.RUN’s Interactive Sandbox, a safe cloud environment for examining malicious URLs and files. Check out this analysis of a Jigsaw sample

Jigsaw results inside ANY.RUN's TI Lookup Analysis of Jigsaw inside ANY.RUN's Interactive Sandbox threat context

The execution process of Jigsaw ransomware involves several critical steps to ensure the encryption of files and the extortion of victims. Upon infecting a system, the malware begins by encrypting the files and displaying a ransom note with payment instructions. The ransom note typically includes a countdown timer, indicating the time remaining before files start being deleted.

Jigsaw results inside ANY.RUN's TI Lookup Process graph showing the execution of a Jigsaw sample

To verify that the ransom has been paid, Jigsaw queries a Bitcoin wallet address via HTTP requests. If the malware detects that the required funds have been deposited, it triggers the decryption process, restoring access to the encrypted files.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Jigsaw Distribution Methods

The distribution methods for Jigsaw ransomware have evolved significantly since its inception. Initially, the malware was spread through fake software executables that mimicked legitimate programs. These executables were designed to trick users into downloading and running the malicious files, leading to infection.

However, newer variants of Jigsaw utilize a broader range of distribution channels. Some of the most common methods include:

  • Phishing Emails: Threat actors send phishing emails with malicious attachments or links that, when opened, download and execute the Jigsaw ransomware.
  • File-Sharing Platforms: Malicious files are hosted on file-sharing platforms, where unsuspecting users may download them, leading to infection.
  • Compromised Websites: Jigsaw may be bundled with other malware as a downloader from compromised websites. Visitors to these sites may unknowingly download and install the ransomware.

Each threat actor may utilize their own channel of distribution, making it challenging to predict and defend against the spread of Jigsaw ransomware.

Collect Threat Intelligence on Jigsaw Ransomware

To gather information about Jigsaw ransomware and collect relevant intelligence, utilize Threat Intelligence Lookup.

This service provides access to a comprehensive database containing insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 search parameters, users can find specific data related to threats, including IP addresses, domains, file names, and process artifacts.

Jigsaw results inside ANY.RUN's TI Lookup TI Lookup helps you enrich your investigations with additional threat context

For example, you can search for Jigsaw by its name or related artifacts. A query like threatName:"Jigsaw" will retrieve all associated samples and sandbox results relevant to this ransomware. This tool is invaluable for staying informed about the latest variants and indicators of Jigsaw, helping security professionals to better understand and mitigate the threat.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Although the Jigsaw ransomware no longer presents a significant threat in the cybersecurity landscape, as it did in 2016, access to its source code makes it a potential security risk to organizations. To prevent possible infections with Jigsaw, it is important to implement comprehensive security measures, including proactive sandbox analysis.

Use ANY.RUN’s Interactive Sandbox to quickly examine suspicious files and URLs to identify threats early and address them before they have a chance to compromise your infrastructure.

Sign up for a free ANY.RUN account to access unlimited analysis!

HAVE A LOOK AT

Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More
GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
Sliver screenshot
Sliver
sliver
Sliver is an open-source command-and-control (C2) framework that has been increasingly adopted by threat actors as an alternative to tools like Cobalt Strike. Developed by security firm Bishop Fox, Sliver was initially intended for legitimate security testing and red teaming exercises. However, its robust features and open-source nature have made it attractive to malicious actors seeking to control compromised systems.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More