14 DAY TRIAL // Security researchers from Check Point announced over the weekend that they identified a way to decrypt files locked by the Jigsaw ransomware, both new and older versions.
Jigsaw appeared this past April, and the ransomware made a name for itself because it was deleting files from the user's computer as time went by without receiving a ransom payment. Additional computer restarts would also delete 1,000 more files.
Security researcher Michael Gillespie created a free Jigsaw decrypter when the ransomware first came out and they had kept updating it ever since. His decrypter attacked the ransomware's encryption process.
Jigsaw uses a non-standard ransom payment system
The Check Point team claims to have identified a weakness not in the encryption routine, but in how Jigsaw handles the ransom payment.
While other ransomware families use a TOR-based website to handle payments, Jigsaw just prints a Bitcoin wallet address on the victim's PC via a special ransom note and tells the users to press the "I made a payment, now give me back my files!" button after they made the payment.
Pressing this button starts a request from the user's PC to an online API that checks if a payment was received to that specific Bitcoin wallet.
Researchers find a weakness in the payment process
There's a reason most ransomware families handle payments on their own websites, and that's because users can tamper with the responses that come back from the API.
Check Point created a tool that intercepts and mimics a positive API response. The tool gives Jigsaw this fake API response, and the ransomware thinks the payment was made, starting the decryption process that ends with Jigsaw unlocking all encrypted files and deleting itself from the infected system.
The tool, which works with both newer and older Jigsaw versions, can be downloaded from here, and below are Check Point's instructions for using it:
This decryption trick seems to have been known to most security experts, but nobody had ever created a tool that users could download and use.
User manual:
1. Unpack the JPS.zip file.
2. In the Jigsaw Puzzle Solver folder, right click ‘JPS.exe’ and click ‘run as administrator’.
3. Follow the instructions displayed on the screen.