Recently, a new ransomware variant called Jigsaw has been reported which encrypted a victim’s files, and appends “.fun” to the file names. If your computer is also infected by this ransomware, do not pay for the ransom. For now, there is a method that helps you decrypt files affected by Jigsaw.
What is Jigsaw ransomware?
In fact, this ransomware is named after the infamous Jigsaw character from the Saw movie series, which is displayed in the ransom note. Currently the way it spreads is unknown. People whose computers get infected by this ransomware will find their files are encrypted and a ransom note shows up on the screen asking them to pay 150 USD Bitcoins to get the decryption key within 24 hours. The ransomware threatens to delete files every hour and the number of the files that are being deleted next time is increasing. It also gives you “a kindly reminder” in case you don’t have bitcoins. It claims that your computer will receive the decryption key and return to normal after you pay the ransom. All your files that are left will be deleted if you don’t do as it says. If you restart your PC and try to delete this malware, the ransomware deletes an additional 1,000 files with every PC reboot.
A screenshot of the ransomware note:
Once Jigsaw ransomware arrives on the PC and gets executed, it will target 226 different file types, encrypting their content with an AES algorithm and appending a .FUN, .KKK, .GWS, or, .BTC extension at the end of each file name.
The file types targeted by the ransomware are:
From what are listed above, we can see that most common files on the infected computers will be encrypted or modified by the malware. Once executed, the ransomware pretends to be Mozilla Firefox and file storage service Dropbox. There will be processes with the names “firefox.exe” and “drpbx.exe” in the Windows Task Manager even if the victims don’t open these two programs at all. In addition, the malware also edits the Windows Registry and adds a new entry that enables the ransomware file to launch automatically once your computer is started. Then the computer will be compromised and controlled by the malware.
Is it possible to get rid of Jigsaw ransomware?
Fortunately, malware experts have discovered a method to decrypt files affected by Jigsaw without for free. According to Bleeping Computer, thanks to MalwareHunterTeam and other helpful users, victims can follow the steps below to decrypt their files with a free tool.
Step1: Disable Jigsaw ransomware processes.
Open Windows Task Manager by pressing Ctrl + Shift + Esc.
Find and terminate firefox.exe and drpbx.exe processes.
This can prevent the ransomware from further deleting your files.
Step2: Remove firefox from startup items
To stop the malware from launching as soon as you boot the infected computer, please disable its startup item by following the instructions below:
For Windows 10/8/8.1 users, right click on the Taskbar and select Task Manager to open up Task Manager.
Click “More Details”, switch to the Startup tab, and then find firefox.exe which points to the %UserProfile%AppDataRoamingFrfxfirefox.exe from a list of all the startup programs displays with a check box next to each one. Click the Disable button.
For Windows 7/Vista users, Click the Start button and then type msconfig in the search box. Click the msconfig.exe program link to open the System Configuration tool.
If you are running Windows XP, type msconfig into the Run box and click on OK after clicking on the Start button.
Click on Startup tab, find the startup entry firefox.exe that points to the %UserProfile%AppDataRoamingFrfxfirefox.exe executable and uncheck the box next to it. Click OK to save changes when you are done.
The Jigsaw ransomware process should no longer automatically start up when Windows starts.
Step3: Use Jigsaw Decryptor to decrypt the files
Once you have completed the first two steps above, follow the instructions below to decrypt the files.
Extract the file and double-click on the JigSawDecrypter.exe file to launch the tool.
When the program is executed, click Select Directory to choose the files encrypted by the Jigsaw ransomware and then click on Decrypt My Files button.
When all the files are decrypted, the tool will inform you of that.
Step4: Use SpyHunter anti-malware program to remove Jigsaw ransomware
Even if all the files are encrypted, the malware is still on the machine. To get rid of it, we suggest you run an antivirus or anti-malware program to scan your computer for threats. SpyHunter is a tool that detects and removes malware like ransomware, Trojans, rootkits, worms as well as potentially unwanted programs completely. When you encounter ransomware like Jigsaw ransomware, run SpyHunter to scan for the malware and delete it thoroughly. Follow the steps below to remove the infections with SpyHunter.
Install the tool on your computer by following the instructions on the screen. When the setup is complete, you can click on Exit button and the tool will automatically run.
If SpyHunter needs to be updated, you need to download the necessary updates and then start to scan the PC by clicking on Scan Computer Now button. (Note: Before scanning, close all other running programs.)
The scanning usually takes a few minutes to complete.
Click on Fix Threats to remove all the threats found and Jigsaw ransomware will be removed from your PC.
Please register for the full version of SpyHunter so as to completely clear all the threats.
How to deal with ransomware to rescue your PC?
“Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker). Other ransomware use TOR to hide C&C communications (called CTB Locker).”
If your computer is infected with the simplest kind of ransomware, such as a fake antivirus program or a bogus PC optimization tool, just enter Windows Safe Mode, delete Temporary Files and run a virus scanner such as SpyHunter. The malware will be erased from your PC.
If you encounter ransomware that prevents you from entering Windows or running programs, you can try to use system restore to return system files and programs to the state they were in at a certain time. Follow the guide below to restore your computer’s system files to an earlier point in time.
For Windows 10 users,
1 Click on the Search button in your desktop taskbar, or press the Windows Key on your keyboard, and type System Restore in the search editable field.
From the search results displayed there, click on Create a restore point and you’ll be taken directly to the System Properties window.
Under the System Protection tab, you will see System Restore options are located.
Alternatively, you can navigate to this same location via Control Panel > System > System Protection. Then click on System Restore button.
2 If this is your first time doing a System Restore, click on Next. If you had previously done a System Restore, select Choose a different restore point, and click on Next.
3 Select a restore point that you would like to restore Windows back to, and click on the Scan for affected programs button.
4 Review what will be affected by using the selected restore point. When finished, click on Close.
5 When you are ready to do a System Restore with a selected restore point, click on Next.
6 Click on Finish to begin the System Restore.
8 Click on Yes to confirm. This is your last chance to cancel the System Restore.
9 Your PC will now restart and perform a System Restore.
10 When the System Restore has completed successfully and you have signed back in to your desktop, click on Close.
For Windows 8/8.1 users,
1 Go to the Start Screen or Search screen and type restore and then click on Create a restore point. (See screenshot below)
2 When the System Properties window appears, click on System Protection tab and then click on System Restore… button.
3 The main screen for System Restore will be displayed. If you are prompted to continue, click on Next > button and a recent restore point and your last critical update will be showed there.
- If you make sure that the most recent restore point is not the date your problem started, check the box next to Show more restore points in the lower left corner and you will see a list of available restore points.
- Select the restore point that your computer issues started to occur and click Next button.
- The screen will ask for your confirmation. Click on the Finish button if you are sure to continue.
When you are asked for confirmation again, click on Yes. System Restore will now reboot your computer and begin the restore process. This will take some time to complete the restore task and please be patient.
- When the system restore task completes successfully, a confirmation box will be displayed on your desktop after system reboot.
For Windows 7/Vista users
1 Click on Start button and type system restore in the search box.
2 Click on System Restore from the list of results. (If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.)
3 When the System Restore window appears, you can directly click on Next button if you are sure that the date of the Recommend restore is the time the computer problem started.
If the computer issue occurred earlier than the time of the recommend restore, you can click Choose a different restore point option and click Next button to select the desired restore point.
4 Select a restore point you wish to restore and click Next button. If the desired restore point isn’t showed there, check Show more restore points and choose the restore point which caused the computer problem. And then click on Next button.
(Note: You can click on Scan for affected programs to check for the problematic programs.)
5 After selected the restore point, click Finish button to confirm it. Then click Yes button to continue. System restore cannot be undone until after it has completed.
6 This will take some time to complete.
For Windows XP users,
1 Click on Start button, click on Programs, click Accessories, click on System Tools and then open System Restore.
2 When the Welcome to System Restore page window appears, click on Restore my computer to an earlier time option (if it is not already selected), then click on Next button.
3 On the Select a Restore Point screen, locate to On this list, click a restore point list and select the most recent system checkpoint and then click Next button.
A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.
4 Confirm your restore point and click Finish button. Make your selections and click Next.
System Restore restores the previous Windows XP configuration, and then restarts the computer.
Once you’ve got your files back: get those backups sorted out! And maybe consider installing some additional security, like the anti-ransomware app: SpyHunter.
Tips to prevent Jigsaw ransomware and other malware infections
To avoid being infected by Jigsaw ransomware and other cyber threats, here’re several useful tips for you.
Never open strange email attachments and spam sent by strangers or even from your friends. Many types of ransomware are distributed by using email attachments.
It’s necessary to have a good backup system in place, just in case your PC does become infected and you can’t recover your files.
Keep a good antivirus tool and make sure Windows and browser-related components (Java, Adobe, and the like) are updated.
The following video offers a complete guide for Jigsaw Ransomware removal. You’d better watch it in full-screen mode!