April 19, 2016

Piecing Together the JIGSAW Puzzle

Andy Settle


Another piece of crypto-ransomware appears to have entered circulation.  Known as  BitcoinBlackmailer.exe or JIGSAW, the malware was apparently built by the author on 23rd March and first seen it the wild a week later.  This malicious program starts encrypting your files while adding, with no irony, the '.FUN' file extension. It also threatens to start deleting files if the ransom is not paid within an allotted time, complete with countdown timer. To add to the distress of the victim, the ransomware displays the face of the character Billy the Puppet from the horror movie series Saw:

To see the behavior of an unprotected user's machine, view our recording here:

Written in .NET, the malware can be reverse engineered without any great difficulty.  This helps us greatly.  So much so, that Forcepoint Security Labs are able to retrieve the encryption key (highlighted in yellow) used by the malware to encrypt the file:


Distress.  One could hardly expect the authors of such software, who clearly know they are extortionists, to be under no illusion that what they are doing is both legally and morally wrong.  Indeed, from the victim's point of view, being hit by ransomware is an unpleasant experience. But using horror movie images and references to cause distress in the victim is a new low.  Fortunately, the depths the author has gone to, with real-time scrolling text, countdown timer, increasing ransom amount and the horror associations, plays on the mind of those who may have seen the movie or even those who are vulnerable or of a nervous disposition.

Bitcoin Addresses.  Forcepoint Security Labs' reverse engineering has also highlighted not only the use of a hard-coded encryption key, but also 100 Bitcoin addresses used for payment of the ransom.  These have been shared with our trusted partners.

Coding Standard.  The malware author has clearly tried to obfuscate their .NET code to prevent analysis.  This was no obstacle for Forcepoint Security Labs, who now have a copy of all the malware source code although this it is not pretty reading.


Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

  • Stage 5 (Dropper) - The JIGSAW malware payload is detected and blocked.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.