Jigsaw ransomware virus - removal and decryption options

Also Known As: Jigsaw virus
Damage level: Severe

What is Jigsaw ransomware?

Jigsaw is ransomware that uses the AES algorithm to encrypt various files stored on computers. Targeted files include .jpg, .docx, .mp3, .mp4, and many others.

Depending on the ransomware version, one of the following file extensions is added: ".NDGHacks", ".epic", ".HYDRA", ".paycoin", ".pennywise", ".data", .locked_by_mR_Anonymous(TZ_HACKERS), .spaß, .F*ckedByGhost, .#__EnCrYpTED_BY_dzikusssT3AM_ransomware!__#, .lockedgood, .pleaseCallQQ, .hacked.by.Snaiparul, .dat, .tedcrypt, .invaded, .black007, .F*ckED, .##___POLICJA!!!___TEN_PLIK_ZOSTA, .coder007@protonmail.com, .choda, .booknish, .hac, .LolSec, .email-[powerhacker03@hotmail.com].koreaGame, .jes, .Bitconnect, .contact-me-here-for-the-key-admin@adsoleware.com, .paymrss, .justice, .LOCKED_BY_pablukl0cker, .CryptWalker, .F*CKMEDADDY, .##ENCRYPTED_BY_pablukl0cker##, .####CONTACT_US_pablukl0cker638yzhgr@2tor.com####, .game, .#, .pablukCRYPT, .pabluk300CrYpT!, .pabluklocker, .afc, .korea, .kill, .rat, .Crypto, .paymts, .sux, .ghost, .R3K7M9, .tax, .lost, .beep, .ice, .die, .PAY, .Contact_TarineOZA@Gmail.com, .getrekt, .lckd, .crypte, .I'WANT MONEY, .nemo-hacks.at.sigaint.org, .jey, .gefickt, .uk-dealer@sigaint.org, .paytounlock, .hush, .locked, .payrmts, .afd, .paybtcs, .fun, .kkk, .gws, or .btc.

After encryption, this ransomware displays a window with a message listing the encrypted files and stating that victims can only restore them by paying a ransom. In addition, every sixty minutes, .Fun deletes a certain number of files, thus, putting victims under pressure to pay, since delays result in permanent deletion of more files.

Here is how files encrypted by one of the variants look:

jigsaw HACKED you computer has been encrypted version (encrypted files)

More about this ransomware

The size of ransom is equivalent to $150 and must be paid in Bitcoins within 24 hours following infection. The ransomware window contains a 60-minute timer, which indicates time remaining until next file deletion. Initially, this ransomware deletes one file, however, after each 60-minute period has elapsed, the number of files targeted for deletion increases.

In addition, when the victim restarts the computer or re-executes this ransomware, it deletes a further 1000 files. According to the message, all files will be deleted within 72 hours. As mentioned previously, this ransomware uses AES - an asymmetric encryption algorithm. Thus, public and private keys are generated during encryption.

To decrypt their files, victims must supposedly purchase the private key from cyber criminals. Fortunately, MalwareHunterTeamDemonSlay335, and Lawrence Abrams have developed a tool capable of decrypting files compromised by this ransomware (download link).

Therefore, there is no need to pay the ransom. It is, however, unlikely that users will be able to restore files affected by ransomware-type viruses without the private key. In this case, you should restore your system and/or files from a backup.

This ransomware is very similar to hundreds of other viruses that also encrypt files using an asymmetric encryption including, for example, Locky, Cerber, Locker, CTB-Locker, and CryptoWall. All infiltrate systems, encrypt files, and make ransom demands. The main difference is the type of algorithm used and size of ransom.

There is a high probability that your files will not be decrypted even if you pay the ransom. Therefore, never attempt to contact cyber criminals or pay any ransom - this will merely support their malicious businesses. Most ransomware-type malware is distributed via fake software updates, trojans, malicious email attachments, and peer to peer (P2P) networks such as Torrent.

Therefore, keep your installed software up-to-date and use a legitimate anti-virus/anti-spyware suite. Additionally, be very cautious when downloading files sent from suspicious/unrecognized emails and third party sources.

Screenshot of a message encouraging users to contact the developers (waldorftrust@yandex.com) of .Fun (Jigsaw) ransomware to decrypt their compromised data (you can see a picture of Billy the puppet in the background):

.Fun decrypt instructions

A variant of Jigsaw ransomware that adds the .F*CKMEDADDY extension to encrypted files (calls itself "DUPA RANSOMWARE"):

jigsaw ransomware .fuckmedaddy extension

A variant of Jigsaw ransomware that uses ".booknish" extension for encrypted files:

jigsaw .booknish ransomware sample

A variant of Jigsaw ransomware (uses .##ENCRYPTED_BY_pablukl0cker## extensions for encrypted files):

jigsaw  .##ENCRYPTED_BY_pablukl0cker## ransomware sample

A variant of this ransomware using an 'Anonymous' background (uses .fun extension for encrypted files):

jigsaw ransomware anonymous background

A variant of Jigsaw ransomware that uses the .lost extension for encrypted files:

jigsaw ransomware .lost variant

A variant of Jigsaw ransomware uses the ".beep" extension for encrypted files and a clown background. This is what it looks like (GIF):

jigsaw ransomware - .beep extension, clown background variant

Here is a variant of Turkish Jigsaw ransomware - “Ramsey Ransomware”. Appends .ram to encrypted files:

jigsaw ransomware .ram variant Turkish language

A variant of this ransomware using a Joker as a background of its ransom-demand message:

jigsaw (.fun) ransomware using joker background

An updated variant of this ransomware (calls itself variant 4.6):

jigsaw ransomware updated version 4.6

Ransom demand message:

Your computer files have been encrypted. Your photos, videos, documents, etc…
But, don’t worry! I have not deleted them, yet.
You have 24 hours to pay 150 USD in Bitcoins to get the decryption key.
Every hour files will be deleted. Increasing in amount every time.
After 72 hours all that are left will be deleted.

If you do not have bitcoins Google the website localbitcoins.
Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.
Send to the Bitcoins address specified.
Within two minutes of receiving your payments your computer will receive the decryption key and return to normal.
Try anything funny and the computer has several safety measures to delete your files.
As soon as the payment is received the crypt files will be returned to normal.

Thank you.

Another variant of Jigsaw ransomware - uses a different ransom message background (flowers) and text:

jigsaw ransomware variant 2

Text presented in this variant of Jigsaw ransomware:

I want to play a game with you. Let me explain the rules: All your files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access them. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when I start next time you will get 1000 files deleted as a punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together!

A variant of this ransomware using a skull image - "ewsc77@mail2tor.com" email address, adds ".I'WANT MONEY" to encrypted files:

jigsaw ransomware skull version

Yet another variant of this ransomware (uses a different background image):

jigsaw ransomware new background 2 jigsaw ransomware new backround 1

Update 1 June, 2016 - Cyber criminals have updated Jigsaw ransomware. It now adds the .paybtcs extension to encrypted files. Below is a screenshot of a website used for communication between victims and cyber criminals:

updated jigsaw ransomware adds .paybtcs extension

Update 6 June, 2016 - Cyber criminals have released a new variant of this ransomware. It targets computer users from Germany and adds the “.AFD” extension to encrypted files. Below is a ransom-demand message from this variant:

Guten Tag,
bedauerlicherweise müssen wir Ihnen mitteilen, dass ihre persönlichen Daten vollständig nach AES-256 Standard verschlüsselt wurden. Der AES-256 Standard gehört zu den sichersten Verschlüsselungs - Algorithmen und wird unter anderem auch vom U.S. Militär verwendet. Eine Entschlüsselung Ihrer Dateien kann ausschließlich mit einer Zahlung von    250€   in Form von BITCOIN an unten stehende Adresse erfolgen. Gerne können Sie weitere Informationen einholen, Sie werden schnell erkennen, dass ohne einen sogenannten Master-Key eine Entschlüsselung faktisch unmöglich ist. Dieser Master-Key ist individuell und wird nur nach erfolgreichem Zahlungseingang übertragen womit auch ihre Daten wieder vollständig entschlüsselt werden. Informationen zu Bitcoin sowie zu deren Beschaffung finden Sie im Internet. In Österreich können sie außerdem sog. BITCOINBON an zahlreichen Verkaufsstellen erwerben, womit Sie unkompliziert BITCOIN für Bargeld kaufen können. Weitere Informationen auf bitcoinbon.at Sollte innerhalb von 5 Tagen keine Zahlung auf unten genannte Adresse eingehen, werden ALLE verschlüsselten Dateien kommentarlos gelöscht. BEDENKEN SIE: Wird die Software gelöscht oder leiten Sie anderweitig Gegenmaßnahmen ein, gibt es KEINE Möglichkeit mehr, Ihre Daten zu entschlüsseln, auch wenn die Software unter Umständen enfernt wird. Sobald die Zahlung getätigt wurde, klicken Sie bitte auf den Button und alle Dateien vollständig entschlüsselt. Anschließend entfernt sich die Software rückstandsfrei.

.Fun ransomware provides a list of encrypted files:

List of files encrypted by .Fun

Here is another ransomware infection based on the source code of jigsaw ransomware. This variant adds the “.To unlock your files send 0.15 Bitcoins to 1P67AghL2mNLbgxLM19oJYXgsJxyLfcYiz within 24 hours 0.20 after 24 hours” extension to encrypted files.

jigsaw HACKED your computer has been encrypted version

Ransom note in a pop-up:


Here is how files encrypted by this variant appear:

jigsaw HACKED you computer has been encrypted version (encrypted files)

Another variant of Jigsaw ransomware (called Anti-Capitalist Jigsaw) which targets users from France. This variant adds ".fun" file extension and opens a pop-up window:

Anti-Capitalist Jigsaw ransomware

Text presented within the pop-up (French):






1 file will be deleted
[View encrypted files]

Veuillez regler la somme ici presente 300 a cette adresse bitcoin:
[I made a payment, now give be back my files!]

Update 1 February 2017 - Security researchers from Avast have released a decrypter for Jigsaw ransomware. You can download it HERE.

jigsaw ransomware decrypter by avast

Screenshot of a folder that contains encrypted files (with added .fun extensions):

Files encrypted by .Fun ransomware

File types targeted by this ransomware:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp , .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .Qbw, .QBB, .QBM, .QBI, .QBR , .Cnt, .Des, .v30, .Qbo, .Ini, .Lgb, .Qwc, .Qbp, .Aif, .Qba, .Tlg, .Qbx, .Qby , .1pa, .Qpd, .Txt, .Set, .Iif , .Nd, .Rtp, .Tlg, .Wav, .Qsm, .Qss, .Qst, .Fx0, .Fx1, .Mx0, .FPx, .Fxr, .Fim, .ptb, .Ai, .Pfb, .Cgn, .Vsd, .Cdr, .Cmx, .Cpt, .Csl, .Cur, .Des, .Dsf, .Ds4, , .Drw, .Dwg.Eps, .Ps, .Prn, .Gif, .Pcd, .Pct, .Pcx, .Plt, .Rif, .Svg, .Swf, .Tga, .Tiff, .Psp, .Ttf, .Wpd, .Wpg, .Wi, .Raw, .Wmf, .Txt, .Cal, .Cpx, .Shw, .Clk, .Cdx, .Cdt, .Fpx, .Fmv, .Img, .Gem, .Xcf, .Pic, .Mac, .Met, .PP4, .Pp5, .Ppf, .Xls, .Xlsx, .Xlsm, .Ppt, .Nap, .Pat, .Ps, .Prn, .Sct, .Vsd, .wk3, .wk4, .XPM, .zip, .rar

Screenshot of the JigSaw decrypter:

.Fun ransomware decrypter

Victims should perform the following steps before using the decrypter:

1. Launch Task Manager (ctrl+alt+delete and choose Task Manager) and disable processes named "Firefox":

Eliminate .Fun ransomware in task manager

2. Select the "Startup" tab and disable the "Firefox" startup entry:

Disable .Fun ransomware startup

After this procedure, you should download the Jigsaw decrypter, launch it, select your hard drive and click "Decrypt My Files".

Video showing how to decrypt files compromised by .Fun ransomware:

Update November 20, 2019 - Emsisoft has recently released a decryption tool capable of restoring data encrypted by various Jigsaw ransomware's variants. You download the decryptor by clicking this link and you can find detailed information in this article.

Screenshot of Emsisoft's Jigsaw ransomware decryptor:

Jigsaw ransomware decryptor by Emsisoft

.Fun ransomware removal:

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu".

Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the .Fun virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the .Fun ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining .Fun ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of .Fun are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by .Fun, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as .Fun ransomware.)

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove .Fun ransomware:

Frequently Asked Questions (FAQ)

How was my computer hacked and how did hackers encrypt my files?

Threat actors use various ways to trick users into infecting computers with ransomware. Most of them attempt to trick users into opening malicious links or attachments in emails, executing malicious drive-by downloads, or using files downloaded from cracked software distribution pages.

How to open files encrypted by one of the Jigsaw ransomware variants?

It is impossible to open files while they are encrypted. Decryption is required.

Where should I look for free decryption tools for Jigsaw ransomware?

In case of a ransomware attack you should check the No More Ransom project website (more information above).

I can pay you a lot of money, can you decrypt files for me?

We do not provide a decryption service. Also, we strongly recommend not to pay third parties for data decryption. Usually, they are scammers or act as a man-in-the-middle. Files encrypted by ransomware cannot be decrypted without tools purchased from the attackers unless the ransomware itself is flawed.

Will Combo Cleaner help me remove Jigsaw ransomware?

Yes, Combo Cleaner will scan the operating system and remove detected ransomware. It is important to remove ransomware to prevent it from encrypting more files or infecting other computers. However, removal does make encrypted files accessible (antivirus programs cannot decrypt files).

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Jigsaw virus QR code
Scan this QR code to have an easy access removal guide of Jigsaw virus on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

Download Combo Cleaner

Platform: Windows

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.