Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Jigsaw

104
Global rank
61 infographic chevron month
Month rank
41 infographic chevron week
Week rank
0
IOCs

The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.

Ransomware
Type
Unknown
Origin
1 March, 2016
First seen
1 July, 2026
Last seen

How to analyze Jigsaw with ANY.RUN

Type
Unknown
Origin
1 March, 2016
First seen
1 July, 2026
Last seen

IOCs

IP addresses
45.144.225.16
83.244.163.204
Domains
rancner.com
angryipsc.org
angryips.com
datadoghd.com
angryip.net
nexcioud.com
roborware.net
sf3q2wrq34.ddns.net
demourl.co.nf
totes.bluetoes.org
blablaez.duckdns.org
Last Seen at
Last Seen at

Recent blog posts

post image
Hidden Infrastructure Exposed: ANY.RUN Reveal...
watchers 4269
comments 0
post image
​​Kratos PhaaS Targets US and EU: How to Redu...
watchers 8905
comments 0
post image
US Threat Landscape Alert: 30 Active Malware...
watchers 7158
comments 0

What is Jigsaw Malware?

Jigsaw ransomware, initially detected in 2016, is a form of malware designed to encrypt files on a victim's system and extort a ransom payment in Bitcoin to restore access.

The creators of Jigsaw incorporate themes and visuals from the horror movie Saw, utilizing threatening messages inspired by the film to pressure victims into complying with the ransom demands.

If the victim does not pay the ransom, Jigsaw begins deleting files from the infected system, increasing the urgency for victims to act. This approach not only encrypts valuable data but also introduces a time-sensitive element that can cause significant distress and data loss.

The original malware is no longer active, as researchers were able to quickly develop decryption tools. However, Jigsaw's source code is openly available, allowing different threat actors to modify and adapt the malware for various purposes, including data theft.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Jigsaw Malware Technical Details

Jigsaw has a range of capabilities which vary across different variants.

  • The original Jigsaw used the AES encryption algorithm to lock files, making them inaccessible without the decryption key.
  • The malware employed over 80 different file extensions for encrypted files, including the .FUN, complicating the identification and recovery process.
  • It displayed ransom notes with instructions for payment, typically demanding Bitcoin in exchange for decryption.
  • Jigsaw verified ransom payments by querying a Bitcoin wallet address via HTTP requests. Upon detecting the required funds, it initiates the decryption process.
  • Despite the development of decryption tools by researchers, Jigsaw continues to evolve, with new variants emerging that incorporate additional malicious functionalities.

    Jigsaw Execution Process

    To analyze any sample of Jigsaw, you can upload it to ANY.RUN’s Interactive Sandbox, a safe cloud environment for examining malicious URLs and files. Check out this analysis of a Jigsaw sample

Jigsaw analysis inside ANY.RUN's Sandbox Analysis of Jigsaw inside ANY.RUN's Interactive Sandbox threat context

The execution process of Jigsaw ransomware involves several critical steps to ensure the encryption of files and the extortion of victims. Upon infecting a system, the malware begins by encrypting the files and displaying a ransom note with payment instructions. The ransom note typically includes a countdown timer, indicating the time remaining before files start being deleted.

Jigsaw results inside ANY.RUN's TI Lookup Process graph showing the execution of a Jigsaw sample

To verify that the ransom has been paid, Jigsaw queries a Bitcoin wallet address via HTTP requests. If the malware detects that the required funds have been deposited, it triggers the decryption process, restoring access to the encrypted files.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Jigsaw Distribution Methods

The distribution methods for Jigsaw ransomware have evolved significantly since its inception. Initially, the malware was spread through fake software executables that mimicked legitimate programs. These executables were designed to trick users into downloading and running the malicious files, leading to infection.

However, newer variants of Jigsaw utilize a broader range of distribution channels. Some of the most common methods include:

  • Phishing Emails: Threat actors send phishing emails with malicious attachments or links that, when opened, download and execute the Jigsaw ransomware.
  • File-Sharing Platforms: Malicious files are hosted on file-sharing platforms, where unsuspecting users may download them, leading to infection.
  • Compromised Websites: Jigsaw may be bundled with other malware as a downloader from compromised websites. Visitors to these sites may unknowingly download and install the ransomware.

Each threat actor may utilize their own channel of distribution, making it challenging to predict and defend against the spread of Jigsaw ransomware.

Collect Threat Intelligence on Jigsaw Ransomware

To gather information about Jigsaw ransomware and collect relevant intelligence, utilize Threat Intelligence Lookup.

This service provides access to a comprehensive database containing insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 search parameters, users can find specific data related to threats, including IP addresses, domains, file names, and process artifacts.

Jigsaw results inside ANY.RUN's TI Lookup TI Lookup helps you enrich your investigations with additional threat context

For example, you can search for Jigsaw by its name or related artifacts. A query like threatName:"Jigsaw" will retrieve all associated samples and sandbox results relevant to this ransomware. This tool is invaluable for staying informed about the latest variants and indicators of Jigsaw, helping security professionals to better understand and mitigate the threat.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Although the Jigsaw ransomware no longer presents a significant threat in the cybersecurity landscape, as it did in 2016, access to its source code makes it a potential security risk to organizations. To prevent possible infections with Jigsaw, it is important to implement comprehensive security measures, including proactive sandbox analysis.

Use ANY.RUN’s Interactive Sandbox to quickly examine suspicious files and URLs to identify threats early and address them before they have a chance to compromise your infrastructure.

Sign up for a free ANY.RUN account to access unlimited analysis!

HAVE A LOOK AT

WarmCookie screenshot
WarmCookie
badspace
WarmCookie is a backdoor malware that cyber attackers use to gain initial access to targeted systems. It is often distributed through phishing emails, frequently using job recruitment lures to entice victims into downloading and executing the malware.
Read More
EvilProxy screenshot
EvilProxy
evilproxy
EvilProxy is a phishing-as-a-service (PhaaS) platform that enables cybercriminals to bypass multi-factor authentication (MFA) and hijack user sessions. It leverages reverse proxy techniques to harvest credentials and session cookies, posing a serious threat to both individuals and enterprises.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
INC Ransomware screenshot
INC Ransomware is a ransomware-as-a-service (RaaS) spotted in mid-2023. It targets industries like retail, real estate, finance, healthcare, and education, primarily in the U.S. and UK. It encrypts and exfiltrates data demanding a ransom. It employs advanced evasion techniques, destroys backup, and abuses legitimate system tools at all the stages of the kill chain.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More