Jigsaw Ransomware Deletes Your Files If You Don't Pay Or When You Reboot Your PC

An anonymous reader writes: Researchers found a new ransomware yesterday called Jigsaw which will first lock your files and ask for a 0.4 Bitcoin ($150 USD) payment. If users don't pay, every hour the ransomware deletes your files. If the user restarts their PC, the ransomware also deletes 1,000 more files. The good news is there's a free Decrypter available to unlock the ransomware. The Decrypter was built by Michael Gillespie, who announced yesterday on Softpedia the ID Ransomware service, which tells infected victims what kind of ransomware infection they have by allowing them to upload an encrypted file and the ransom note.

Turn back the clock

I have to wonder what would happen if you just kept turning the clock back on your computer every 45 minutes... I guess it depends on how lazy the programmer was.

Anecdote: I recently had a WIndows Auto-update give me the choice between now and in 10 minutes for an update. I wanted to watch a movie online so I set the clock back serveral hours.

Re:Turn back the clock

[Dutch+Gun]

Well, no need for that, as you can just kill the processes directly. This is amateur hour stuff if it can be decrypted locally with a simple utility, and apparently doesn't take any steps to prevent its own process from being viewed and killed.

Sadly, it doesn't take a genius programmer to grab an existing exploit kit and throw together some half-assed shit like this that still does some real harm to people. As always, it's far easier to destroy than to create.

Re:Turn back the clock

give me the choice between now and in 10 minutes for an update.

Funny how Windows users have such an obviously adversarial relationship with the OS (this isn't about good-vs-bad or proprietary-vs-closed; it's simply about us-vs-them) and yet they still use words like "give" and "choice" whenever they talk about how their boyfriend beat them up.

You people.

Re:Turn back the clock

[jetkust]

So you're saying you're NOT supposed to have to trick an operating system into allowing you to use it?

Re:Turn back the clock

[jouassou]

Alternatively... Just pull the power plug instead of shutting down 'nicely', and it shouldn't have any opportunity to delete your files. Don't reboot into the harddrive, but boot from a livecd, and try decrypting the contents from there.

Re:Turn back the clock

[ArsenneLupin]

Don't reboot into the harddrive, but boot from a livecd, and try decrypting the contents from there.

User who know what a LiveCD is probably don't fall for such ransomware themselves.

At best, they are called by a friend or family member who did fall for it, but in that case, chances are said friend or family member already "cleanly" shut down their computer ("hey, I had documents open on which I worked all afternoon, I had to save them, didn't want to lose that work"), or even rebooted it once or twice ("if I call Peter right now, he'll again scold me for being so careless about opening attachments, better try to fix it myself, I can always call him later")

One missing detail

[techno-vampire]

It's not mentioned in the summary, but if you take the time to RTFA (Yes, I know this is Slashdot, but still...) you'll find that this is Windows specific. That's not to say that an infection can't be devastating, or that people using Windows deserve what they get, it's just making note of the fact that those of us who don't use Windows don't need to worry about it.

Re:One missing detail

it's just making note of the fact that those of us who don't use Windows don't need to worry about it.

For now.

Re:One missing detail

[The+MAZZTer]

Windows is targeted because that is what everyone uses. If everyone used something else, that is what hackers would target, because that is where they can exploit the most users!

Re:One missing detail

[drinkypoo]

If everyone used something else, that is what hackers would target, because that is where they can exploit the most users!

If everyone used everything else, we'd only have women in tech articles to complain about

Re:One missing detail

[caino59]

A great point to make.
Remember everyone: Windows is always bad. Don't worry about your poor security habits - you're probably fine.

Re:One missing detail

[Bing+Tsher+E]

It's simpler than that:

If everyone used everything else, it would all be used up.

Re:One missing detail

[Applehu+Akbar]

"...you'll find that this is Windows specific"

Many of the ransomware schemes, especially the ones aimed ta corporate users, use social engineering to trick users into clicking on a software install request and then giving specific permission to run the program. These techniques are applicable on any platform.

Re:One missing detail

[techno-vampire]

These techniques are applicable on any platform.

That's very, very true. And, I'm sure that a similar piece of malware that was designed to run on Linux would work, although I'm not sure if it would have access to the system files. (That depends on how it was written and what other security measures were on the target system.) My point was simply that this specific example was written with Windows in mind, probably because the potential number of targets is so large.

Re:One missing detail

[Mictester]

These techniques are applicable on any platform

That just isn't the case. Users don't have the rights to install and execute additional software on Linux or (real) BSD (not Mac). Windows, by comparison, doesn't have any proper, rigorously enforced, permissions structure, so it's trivially easy to install and execute malicious code - often without user intervention.

The actual reason that Windows is the only target for ransomware is that the attacks are possible and Windows (l)users are generally technically naive - which is why they still use Windows!

"Jigsaw" is obviously just a "proof of concept" - the Real Version(TM) will be along shortly, which will be delivered by a drive-by exploit on a few vulnerable, but heavy traffic, websites, won't require (l)user intervention to install it, won't have a trivial decryption solution and will force the user to pay for decryption very quickly, before their files are not just encrypted, but deleted permanently.

Re:One missing detail

[stealth_finger]

My point was simply that this specific example was written with Windows in mind, probably because the potential number of targets is so large.

Well, yeah. Macs were never virus proof there were just too few to bother targeting.

Re:One missing detail

[Grishnakh]

That just isn't the case. Users don't have the rights to install and execute additional software on Linux or (real) BSD (not Mac).

WTF? Have you ever used Linux?

Here's a hint: type Alt-F2, type "bash" there, and open a shell. Now, type "vi kill_my_files.sh", then type "a rm -rf / :wq!". Then, type "chmod 755 kill_my_files.sh". There, you've now created "additional software"! Now, execute it by typing "./kill_my_files.sh". Voila! You've executed it! And your files are all gone too!

The only thing regular users can't do on Linux is *install* software system-wide so that other users can run it. Who cares? You don't need to do that to run nefarious software.

Re:One missing detail

[Grishnakh]

Whoops, I forgot you have to type <ESC&gt, as so: "a rm -rf / <ESC> :wq!"

One little flaw

[Calydor]

What does someone like me that never jumped on the Bitcoin hype do? Just write the computer off as a lost cause?

Re:One little flaw

[chuckugly]

Restore from backups

Re:One little flaw

all computers should be treated as a lost cause. To do anything else is foolish.

Re:One little flaw

[suupaabaka]

It's a sly scheme to improve Bitcoin uptake.

Re: One little flaw

[Pseudonym]

Do they give you instructions about where you can get bitcoin in less than an hour no matter where you live?

Re: One little flaw

[Fwipp]

https://www.youtube.com/watch?...

Re:One little flaw

[thegarbz]

What does someone like me that never jumped on the Bitcoin hype do? Just write the computer off as a lost cause?

Same thing as someone with bitcoins? Format the PC, reinstall your software, and reload all your data from your backups.

You do have daily backups don't you?

I give it a month

[liqu1d]

Before they start preventing downloads/disabling USB and allowing access to any website other than Bitcoin buying and their payment page.

Re:I give it a month

[wbr1]

That would be useless. Any tech worth his salt is going to pull the drive from its running environment first thing for any ransomware infection. Either by booting to a USB environment (good luck disabling that), or physical removal. Hell in our shop I have a custom built storage server simply to image any jobs that come in the shop, ransomware included. The only exception are drives that have failed to badly to image.

Re:I give it a month

[Sprite_tm]

Mmm, I'm wondering how long it'll take before some kind of malware keeps its keys in-memory, so when you shut down the PC or kill the process the entire HD gets un-decryptable...

Saw?

[suupaabaka]

Is this ransomware named after the antagonist in the movie "Saw"?

If so, maybe we're seeing a new trend of naming viruses after movie villains, and they might even share some characteristics!

I'm hanging out for the Mugatu virus.

Poor fucking users

[roman_mir]

Some people are true assholes, poor fucking users who run into this. Imagine what will happen in the future, with self driving cars and somebody figuring out a way to take over and not let you out of the car until you pay, but if you don't pay within a time limit they will crash your car, drive it off a cliff or something...

Security needs to become part of culture, but with people sharing every bit of their lives on sites like FB, etc., with people not caring about NSA stealing their data... I don't know, there will be deaths because of this eventually. System security has to become central when relying on more and more computers and robots, drones, it has to be done.

Re:Poor fucking users

[subanark]

The bigger the crime, the more resources will be thrown by companies, individuals, police, government to stop it. Many "smart" criminals will avoid killing as it draws a lot of heat. E.g. if your in a big city and someone steals your phone, good luck getting the cops to do more than note it down. However, if someone steals a phone and kills the victim, you can expect a full crime scene, and lab work to be done.

Hacking cars with the intent to hurt (or make it appear so) will get the interest of the US government, and it doesn't matter what country you hide out in. The military will hunt you down and take you out.

Re:Poor fucking users

[roman_mir]

I didn't shift responsibility to businesses, where did you read that? I said that all people need to understand that system security should be part of the core functionality, the push for security has to come from all sides, it cannot be only businesses if the users don't care and it cannot be just users if businesses are not listening.

Re: Poor fucking users

[ArsenneLupin]

Why do so many Slashdot users defend ransomware criminals?

Maybe because they only attack Windows users? Just consider it as cheap education...

Re:Poor fucking users

[dave420]

A quick lesson in the hopes of saving you from embarrassing yourself: Muslims have their own opinions, in precisely the same way non-Muslims do. Logic is your friend.

payback

[supernova87a]

When someone finally finds the people who write and extort with this kind of ransomware, they should slowly and painfully delete body parts one by one until they pay up...

Re:payback

I'm not a violent man but I get this sentiment. A year ago, my son innocently downloaded a (bogus) Java update and we were infected with a ransomware that encrypted all the files on the drive (we didn't pay btw). I was livid. The worst loss was all the special school work he had been doing that day and the day before. There was no backup of that and that stuff was a total loss (fortunately the teacher understood and was kind). I felt for my son who had spent hours and hours on the project. If you had given me the address of the hackers on that day, I would have hunted them down and strung them up in the public square by their balls.

Re:payback

Vengeance is not the answer. As a parent, you should know that.

Vengeance is simply social feedback, cause and effect. When appropriate consequence is removed from actions people will continue to be monsters and become even worse. IF you were a parent of an infant/young child at any point you should definitely KNOW this.

Humans are NOT rational creatures, we are emotional predators who are capable of learning reason to some degree but usually only to use it to serve our emotional selfish desires. Yes, some people are less predator and more rational than others, I like to think I am, but more than enough are not that they must be dealt with in whatever way works to make them listen.

Re:payback

[laurencetux]

no no no

what any God Father knows is you don't do the deed yourself you simply make it know that it would be nice if X happened to Y.

and what you do is remove the bits needed to pass on their genes and "pleasure" a woman.

oh and on a more serious note Ninite Pro is cheap at US$20.00 a month and you can take care of your whole Family in the process.

Re:payback

[cdrudge]

If you had given me the address of the hackers on that day, I would have hunted them down and strung them up in the public square by their balls.

and what you do is remove the bits needed to pass on their genes and "pleasure" a woman.

Now I do admit that I've never been strung up by my balls, but I'd imagine that if you strung them up tight enough, long enough, you'd still accomplish the same goal of preventing them from passing on their genetic material and pleasing a woman.

Re:payback

[Grishnakh]

Actually, it is. It's part of a feedback cycle, and it keeps people from acting badly. If you do something to harm someone else, they (or their friends, family, etc., or these days the government on their behalf) will come find you, and then punish you to make an example out of you. In the future, people contemplating that action will think twice about it because they want to avoid that fate, and the person who did it the first time won't do it again.

Re:payback

[flightmaker]

A good suggestion I heard lately is that we should hunt these arseholes down, along with any other scammers and parasites trying to trick hard working people out of their money, and terrorists, put them at the bottom of a nice deep salt or phosphate mine, and enrol them on therapeutic drugs trials for the rest of their miserable lives. That way they can pay back some of the misery they have brought on society.

Re:It's time to kill Bitcoin.

[sims+2]

Bitcoin... That's sounds an awful lot like cash. Cash is by far the preferred choice of payment by criminals worldwide should we ban that too?

Re:Choice of OS

[layingMantis]

This might be a good time for Windows users to discover an open source operating system. I use OpenBSD on all of my systems and I am not vulnerable to shit like this.

This might be a good time for Windows users to discover an operating system that nobody uses and doesn't get attention from exploiters. -fixed that for you.

Re:It's time to kill Bitcoin.

[Applehu+Akbar]

"Cash is by far the preferred choice of payment by criminals worldwide should we ban that too?"

Has there ever been a single instance in the wild of ransomware for cash? Kidnapping for ransom died out in the US because of the increasing difficulty of making a cash drop. I predict that we are about to see kidnapping come back into style, for Bitcoin.

Re:It's time to kill Bitcoin.

[Jeremi]

Cash is by far the preferred choice of payment by criminals worldwide should we ban that too?

At some point, that will probably happen.

The solution is pull based backups...

[mlts]

Some variants of ransomware erase backup drives and cloud backups/network shares.

The real way to solve the problem isn't just having more data for ransomware to encrypt or destroy. Work on pull based backups, such as Windows Home Servers, Microsoft DPM, NetBackup, or some other mechanism. Preferably something that can use SSH or an existing known good protocol for security. This way, one of the worst things that malware can do is output garbage and try to fill up the backup server's hard disks with stuff from /dev/urandom. If QNAP or Synology adds deduplicating backups to their units in a way that home users could just "set and forget" until needed, this would be a major step in mitigating ransomware attacks.

Problem is that ransomware preys on the fact that people tend to not bother with backups, and that the backup methods used these days are absolute shit and vulnerable to a "rm -rf". In the past, desktop computers would be backed up to tape, and with basic common sense, setting read only switches and backup rotations, it would be virtually impossible for stashed data to be corrupted. However, with both tape and optical drives not updated to handle modern capacity, coupled with the "just stash it on the cloud", it is no wonder why ransomware has such easy pickings on the home, SOHO, SMB, and even the enterprise level.

As a stopgap, one can always back up to a network share, then have the share backed up, so if the share is trashed, it can be restored. However, the real ideal is pulling data from clients.

Re:The solution is pull based backups...

[lgw]

Some variants of ransomware erase backup drives and cloud backups/network shares.

If it can be overwritten or erased by the live system it's not a backup. RAID is not a backup strategy. Copying files to a share is not a backup strategy.

A duplicate drive sitting on a shelf is a backup strategy. A tape in a box in is a backup strategy. A cloud-based solution that requires some special admin task to delete old backups is a backup strategy.

real way to solve the problem isn't just having more data for ransomware to encrypt or destroy. Work on pull based backups

Indeed.

Re:The solution is pull based backups...

[Tapewolf]

I run Linux, but a piece of ransomware was recently reported that used Java to allow itself to run on multiple platforms. As a result I've invested in an LTO drive since my current backup strategies are based around Dropbox and a monthly snapshot to external disks. Smart ransomware could start chewing up the data slowly and end up in the backups before it was detected.

LTO7 came out recently with a 15TB native capacity. This means that LTO5 drives can had relatively cheaply, which have a 1.5TB capacity per cart and the carts are about £15 each. My core data that needs to be backed up is about 1.6TB but is in two locations so I can use two tapes to cover it all.

The drive wasn't cheap, but some of the data is priceless. With a tape system I can take snapshots each month and keep a few tapes aside as long-term read-only backups, just in case.

Re:The solution is pull based backups...

[Tapewolf]

Oops, LTO7 is 15TB compressed, it's about 6TB raw.

.

Re:The solution is pull based backups...

[mlts]

I think that if the tape makers could make a LTO 7 capacity drive, but have it be able to work on USB 3 without excessive shoe-shining (perhaps adding a fairly large RAM or SSD buffer so a consumer-grade laptop that cannot really handle the sustained I/O of a tape drive would still be able to use the drive.)

This has been done before. I remember many SCSI drives for Macs, and UNIX workstations that just plugged in and worked. With today's technologies like LTFS, it would be even easier. Add WORM tapes (which are about $25 for LTO-6 media), and that would provide a decent barrier against ransomware.

Given the cash, I'd definitely go with a LTO 7 drive. However, the next best thing is probably burning data to Blu-Ray, and finalizing the media, so it cannot be written to after the backup is done.

Re:The solution is pull based backups...

[Tapewolf]

However, the next best thing is probably burning data to Blu-Ray, and finalizing the media, so it cannot be written to after the backup is done.

That was my plan if the LTO plan fell through. However, even with BDXL it would take a lot of disks to back up the main data store.

Re:The solution is pull based backups...

[mlts]

The good thing about CD/DVD/BD technology is that making an autochanger for this technology isn't difficult. Before the move to the iPod, 400+ CD carousel autochangers were commonplace for a couple hundred dollars in people's houses. Each BDXL disk may not hold much, but ~40 TB per carousel isn't too bad, assuming 100 gigs per disk, and a 400 disk pack.

Re:Preparation is the best defense.

[mlts]

After deciding on different means, since a pull based backup isn't feasible without enterprise backup software, what I do is a dual stage process. First stage, is to have Veeam dump my Windows box to a NAS with RAID 1. Then, the NAS then backs the shares it has to an external HDD. This way, if something destroys a share from a PC, it can be reloaded from the external HDD.

Eventually, I plan to get another NAS whose sole function in life is to store backups (with RAID) from the "front-line" NAS models. Since the backend NAS isn't touching client PCs in any way, shape, or form, it should be fairly resistant to all but the most sophisticated ransomware.

It doesn't hurt to burn critical data to a BD-R drive either.

Re:It's time to kill Bitcoin.

[mrbester]

It's called a mugging "Give me cash or I delete your kidney"

Re:Choice of OS

[Mictester]

This might be a good time for Windows users to discover an operating system that nobody uses and doesn't get attention from exploiters. -fixed that for you.

...and the reason that Windows is targeted is simply because this type of attack is possible not because of its' seeming ubiquity. Also, the "operating system that nobody uses" is actually the OS that runs the internet, powers your phone, runs your TV, router and even your washing machine.

Windows is just a poor proprietary client for a Linux world

Re:It's time to kill Bitcoin.

[William+Baric]

Mugging is an extremely dangerous business. Ransomware is mostly safe.

Re:It's time to kill Bitcoin.

[moeinvt]

TPTB are working on it right now. Mario Draghi of the ECB is advocating the discontinuation of the 500 Euro note and economists like Larry Summers in the USA want to ban the $100 bill. There is also talk of banning all large cash transactions. Government obviously wants to track ALL of your financial activity.

The bankers want to ban cash so they can set a negative interest rate. People will have to pay to keep their money in a bank, and without cash, there will be no recourse. They also want deposits to be treated like any other liability for the financial institutions. Liabilities that can be "restructured" in the event of the company filing for bankruptcy. i.e. the bank takes your money and gives you shares of stock in a new "recapitalized" bank.

We can't allow that to happen. Use cash!

Re:Choice of OS

[robmv]

There could be a little truth in that, but no OS make the same mistake of letting the sender of a file decides what is executable or not (sender call it .exe or .scr and it is executable). Only Windows allow the sender to define what icon will be show for a file (sender embed a Word document icon to an executable and that is shown).

There are many ways to make phishing at non Windows users, but then some kind of vulnerability must be used (when opening a document), not a simple stupid trick of sending an executable and people confusing it for other thing. I think the most common one

Re:Choice of OS

[tlhIngan]

There are many ways to make phishing at non Windows users, but then some kind of vulnerability must be used (when opening a document), not a simple stupid trick of sending an executable and people confusing it for other thing. I think the most common one

Not really. In Linux it's pretty easy to get a random user to run a random script. You just have to tell the user why'd they want to.

Wasn't there recently a case where a botnet was shut down of Linux users? Sure it was only 2000 machines, but still - 2000 people installed it.

The real reason is easy - software piracy. it's why Windows is usually attacked first - it has one of the largest proprietary software bases out there, so there are plenty of people looking for cracks, keygens, and downloads that you could apply a simple downloader wrapper to and infect them. It's easy.

OS X comes next - smaller base, but still, a bunch of people looking to get paid software for free.

Ditto Android, again, lots of people don't want to pay 99 cents for apps, so they pirate it and get all sorts of data stealing crap installed on their phones. Yes, you can stick with Google Play, but some people will just pirate software.

Linux is last, because there isn't that much proprietary software for it right now. There's some, but not much. What usually infects them are pirated Wordpress themes since most Linux installations are server based. But if the popularity of SteamOS and such increases to the point where there's a decent selection of games, expect Linux to be a sharply rising target. (At least, if gamers on Linux are like their Windows counterparts where it's mostly pirated and thus a very handy way to infect a computer).

Straightforward

[DrYak]

Here's a hint: type Alt-F2, type "bash" there, and open a shell. Now, type {...}

Such a simple and straightforward procedure !

I wonder why everybody is complaining about Linux being hard to adapt to...

Re:Straightforward

[Grishnakh]

-1 Stupid.

Why aren't you complaining about how Windows is "so hard to adapt to"? After all, to run Excel in Windows, you can type Win+R and type "excel" there.

Re:Decrypter

[david_thornley]

The Decrypter might recover files that weren't on the last known good backup (which, for the average Windows user, probably is the reinstall media). Save them on something, then do a full install.

Re:Autobackup

[Tapewolf]

This is exactly why I run an autobackup of all my files to separate backup files every single night. The most I would ever lose is 24 hours of data.
This is 2016, folks. Ransomware shouldn't even be a blip on anyone radar by now.

Given that modern ransomware actively seeks out file shares and removable disks to prevent this kind of easy recovery, I'm curious to know what backup mechanism you're using. And also how far back that backup goes. Another strategy these things use (or could potentially use) is to encrypt things slowly over a long period of time so the backups are chewed up as well unless you're regularly taking snapshots onto read-only media or some kind of versioned filesystem.

Joke explained

[DrYak]

I know that I shouldn't be explaining my joke, but I was sarcastically referring that your "in linux, it's also possible to do lots of dammage without being root" instructions are nearly as complicate as the copy-pasta troll that was once popular on /. about the difficulty to get Quake running with openGL in Linux.
(As opposed to Windows where such breakage happens almost entirely alone, without nearly any user intervention required).

Consider it as a variant of the "Does virus {NAME} runs under Wine? Nope? Exactly what I though: yet another part of the Windows experience we can't join..." joke.