Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Jigsaw

99
Global rank
69 infographic chevron month
Month rank
56 infographic chevron week
Week rank
0
IOCs

The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.

Ransomware
Type
Unknown
Origin
1 March, 2016
First seen
4 February, 2025
Last seen

How to analyze Jigsaw with ANY.RUN

Type
Unknown
Origin
1 March, 2016
First seen
4 February, 2025
Last seen

IOCs

IP addresses
45.144.225.16
83.244.163.204
Domains
rancner.com
angryipscanner.org
angryipsc.org
angryips.com
datadoghd.com
angryip.net
nexcioud.com
roborware.net
sf3q2wrq34.ddns.net
demourl.co.nf
service-updater.hopto.org
totes.bluetoes.org
blablaez.duckdns.org
Last Seen at

Recent blog posts

post image
Release Notes: System Updates, New YARA and S...
watchers 193
comments 0
post image
3 Major Cyber Attacks in January 2025
watchers 1395
comments 0
post image
Interlock Ransomware: Analysis of Attacks on...
watchers 1186
comments 0

What is Jigsaw Malware?

Jigsaw ransomware, initially detected in 2016, is a form of malware designed to encrypt files on a victim's system and extort a ransom payment in Bitcoin to restore access.

The creators of Jigsaw incorporate themes and visuals from the horror movie Saw, utilizing threatening messages inspired by the film to pressure victims into complying with the ransom demands.

If the victim does not pay the ransom, Jigsaw begins deleting files from the infected system, increasing the urgency for victims to act. This approach not only encrypts valuable data but also introduces a time-sensitive element that can cause significant distress and data loss.

The original malware is no longer active, as researchers were able to quickly develop decryption tools. However, Jigsaw's source code is openly available, allowing different threat actors to modify and adapt the malware for various purposes, including data theft.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Jigsaw Malware Technical Details

Jigsaw has a range of capabilities which vary across different variants.

  • The original Jigsaw used the AES encryption algorithm to lock files, making them inaccessible without the decryption key.
  • The malware employed over 80 different file extensions for encrypted files, including the .FUN, complicating the identification and recovery process.
  • It displayed ransom notes with instructions for payment, typically demanding Bitcoin in exchange for decryption.
  • Jigsaw verified ransom payments by querying a Bitcoin wallet address via HTTP requests. Upon detecting the required funds, it initiates the decryption process.
  • Despite the development of decryption tools by researchers, Jigsaw continues to evolve, with new variants emerging that incorporate additional malicious functionalities.

    Jigsaw Execution Process

    To analyze any sample of Jigsaw, you can upload it to ANY.RUN’s Interactive Sandbox, a safe cloud environment for examining malicious URLs and files. Check out this analysis of a Jigsaw sample

Jigsaw results inside ANY.RUN's TI Lookup Analysis of Jigsaw inside ANY.RUN's Interactive Sandbox threat context

The execution process of Jigsaw ransomware involves several critical steps to ensure the encryption of files and the extortion of victims. Upon infecting a system, the malware begins by encrypting the files and displaying a ransom note with payment instructions. The ransom note typically includes a countdown timer, indicating the time remaining before files start being deleted.

Jigsaw results inside ANY.RUN's TI Lookup Process graph showing the execution of a Jigsaw sample

To verify that the ransom has been paid, Jigsaw queries a Bitcoin wallet address via HTTP requests. If the malware detects that the required funds have been deposited, it triggers the decryption process, restoring access to the encrypted files.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Jigsaw Distribution Methods

The distribution methods for Jigsaw ransomware have evolved significantly since its inception. Initially, the malware was spread through fake software executables that mimicked legitimate programs. These executables were designed to trick users into downloading and running the malicious files, leading to infection.

However, newer variants of Jigsaw utilize a broader range of distribution channels. Some of the most common methods include:

  • Phishing Emails: Threat actors send phishing emails with malicious attachments or links that, when opened, download and execute the Jigsaw ransomware.
  • File-Sharing Platforms: Malicious files are hosted on file-sharing platforms, where unsuspecting users may download them, leading to infection.
  • Compromised Websites: Jigsaw may be bundled with other malware as a downloader from compromised websites. Visitors to these sites may unknowingly download and install the ransomware.

Each threat actor may utilize their own channel of distribution, making it challenging to predict and defend against the spread of Jigsaw ransomware.

Collect Threat Intelligence on Jigsaw Ransomware

To gather information about Jigsaw ransomware and collect relevant intelligence, utilize Threat Intelligence Lookup.

This service provides access to a comprehensive database containing insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 search parameters, users can find specific data related to threats, including IP addresses, domains, file names, and process artifacts.

Jigsaw results inside ANY.RUN's TI Lookup TI Lookup helps you enrich your investigations with additional threat context

For example, you can search for Jigsaw by its name or related artifacts. A query like threatName:"Jigsaw" will retrieve all associated samples and sandbox results relevant to this ransomware. This tool is invaluable for staying informed about the latest variants and indicators of Jigsaw, helping security professionals to better understand and mitigate the threat.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Although the Jigsaw ransomware no longer presents a significant threat in the cybersecurity landscape, as it did in 2016, access to its source code makes it a potential security risk to organizations. To prevent possible infections with Jigsaw, it is important to implement comprehensive security measures, including proactive sandbox analysis.

Use ANY.RUN’s Interactive Sandbox to quickly examine suspicious files and URLs to identify threats early and address them before they have a chance to compromise your infrastructure.

Sign up for a free ANY.RUN account to access unlimited analysis!

HAVE A LOOK AT

Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More