Jigsaw ransomware removal instructions
What is Jigsaw ransomware?
Jigsaw is ransomware that uses the AES algorithm to encrypt various files stored on computers. Targeted files include .jpg, .docx, .mp3, .mp4, and many others. Depending on the ransomware version, one of the following file extensions is added: ".NDGHacks", ".epic", ".HYDRA", ".paycoin", ".pennywise", ".data", .locked_by_mR_Anonymous(TZ_HACKERS), .spaß, .F*ckedByGhost, .#__EnCrYpTED_BY_dzikusssT3AM_ransomware!__#, .lockedgood, .pleaseCallQQ, .hacked.by.Snaiparul, .dat, .tedcrypt, .invaded, .black007, .F*ckED, .##___POLICJA!!!___TEN_PLIK_ZOSTA, .email@example.com, .choda, .booknish, .hac, .LolSec, .email-[firstname.lastname@example.org].koreaGame, .jes, .Bitconnect, .email@example.com, .paymrss, .justice, .LOCKED_BY_pablukl0cker, .CryptWalker, .F*CKMEDADDY, .##ENCRYPTED_BY_pablukl0cker##, .####CONTACT_US_pablukl0cker638yzhgr@2tor.com####, .game, .#, .pablukCRYPT, .pabluk300CrYpT!, .pabluklocker, .afc, .korea, .kill, .rat, .Crypto, .paymts, .sux, .ghost, .R3K7M9, .tax, .lost, .beep, .ice, .die, .PAY, .Contact_TarineOZA@Gmail.com, .getrekt, .lckd, .crypte, .I'WANT MONEY, .nemo-hacks.at.sigaint.org, .jey, .gefickt, .firstname.lastname@example.org, .paytounlock, .hush, .locked, .payrmts, .afd, .paybtcs, .fun, .kkk, .gws, or .btc. After encryption, this ransomware displays a window with a message listing the encrypted files and stating that victims can only restore them by paying a ransom. In addition, every sixty minutes, .Fun deletes a certain number of files, thus, putting victims under pressure to pay, since delays result in permanent deletion of more files.
The size of ransom is equivalent to $150 and must be paid in Bitcoins within 24 hours following infection. The ransomware window contains a 60-minute timer, which indicates time remaining until next file deletion. Initially, this ransomware deletes one file, however, after each 60-minute period has elapsed, the number of files targeted for deletion increases. In addition, when the victim restarts the computer or re-executes this ransomware, it deletes a further 1000 files. According to the message, all files will be deleted within 72 hours. As mentioned previously, this ransomware uses AES - an asymmetric encryption algorithm. Thus, public and private keys are generated during encryption. To decrypt their files, victims must supposedly purchase the private key from cyber criminals. Fortunately, MalwareHunterTeam, DemonSlay335, and Lawrence Abrams have developed a tool capable of decrypting files compromised by this ransomware (download link). Therefore, there is no need to pay the ransom. It is, however, unlikely that users will be able to restore files affected by ransomware-type viruses without the private key. In this case, you should restore your system and/or files from a backup.
Screenshot of a message encouraging users to contact the developers (email@example.com) of .Fun (Jigsaw) ransomware to decrypt their compromised data (you can see a picture of Billy the puppet in the background):
This ransomware is very similar to hundreds of other viruses that also encrypt files using an asymmetric encryption including, for example, Locky, Cerber, Locker, CTB-Locker, and CryptoWall. All infiltrate systems, encrypt files, and make ransom demands. The main difference is the type of algorithm used and size of ransom. There is a high probability that your files will not be decrypted even if you pay the ransom. Therefore, never attempt to contact cyber criminals or pay any ransom - this will merely support their malicious businesses. Most ransomware-type malware is distributed via fake software updates, trojans, malicious email attachments, and peer to peer (P2P) networks such as Torrent. Therefore, keep your installed software up-to-date and use a legitimate anti-virus/anti-spyware suite. Additionally, be very cautious when downloading files sent from suspicious/unrecognized emails and third party sources.
A variant of Jigsaw ransomware that adds the .F*CKMEDADDY extension to encrypted files (calls itself "DUPA RANSOMWARE"):
A variant of Jigsaw ransomware that uses ".booknish" extension for encrypted files:
A variant of Jigsaw ransomware (uses .##ENCRYPTED_BY_pablukl0cker## extensions for encrypted files):
A variant of this ransomware using an 'Anonymous' background (uses .fun extension for encrypted files):
A variant of Jigsaw ransomware that uses the .lost extension for encrypted files:
A variant of Jigsaw ransomware uses the ".beep" extension for encrypted files and a clown background. This is what it looks like (GIF):
Here is a variant of Turkish Jigsaw ransomware - “Ramsey Ransomware”. Appends .ram to encrypted files:
A variant of this ransomware using a Joker as a background of its ransom-demand message:
An updated variant of this ransomware (calls itself variant 4.6):
Ransom demand message:
Your computer files have been encrypted. Your photos, videos, documents, etc…
But, don’t worry! I have not deleted them, yet.
You have 24 hours to pay 150 USD in Bitcoins to get the decryption key.
Every hour files will be deleted. Increasing in amount every time.
After 72 hours all that are left will be deleted.
If you do not have bitcoins Google the website localbitcoins.
Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.
Send to the Bitcoins address specified.
Within two minutes of receiving your payments your computer will receive the decryption key and return to normal.
Try anything funny and the computer has several safety measures to delete your files.
As soon as the payment is received the crypt files will be returned to normal.
Another variant of Jigsaw ransomware - uses a different ransom message background (flowers) and text:
Text presented in this variant of Jigsaw ransomware:
I want to play a game with you. Let me explain the rules: All your files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access them. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when I start next time you will get 1000 files deleted as a punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together!
A variant of this ransomware using a skull image - "firstname.lastname@example.org" email address, adds ".I'WANT MONEY" to encrypted files:
Yet another variant of this ransomware (uses a different background image):
Update 1 June, 2016 - Cyber criminals have updated Jigsaw ransomware. It now adds the .paybtcs extension to encrypted files. Below is a screenshot of a website used for communication between victims and cyber criminals:
Update 6 June, 2016 - Cyber criminals have released a new variant of this ransomware. It targets computer users from Germany and adds the “.AFD” extension to encrypted files. Below is a ransom-demand message from this variant:
bedauerlicherweise müssen wir Ihnen mitteilen, dass ihre persönlichen Daten vollständig nach AES-256 Standard verschlüsselt wurden. Der AES-256 Standard gehört zu den sichersten Verschlüsselungs - Algorithmen und wird unter anderem auch vom U.S. Militär verwendet. Eine Entschlüsselung Ihrer Dateien kann ausschließlich mit einer Zahlung von 250€ in Form von BITCOIN an unten stehende Adresse erfolgen. Gerne können Sie weitere Informationen einholen, Sie werden schnell erkennen, dass ohne einen sogenannten Master-Key eine Entschlüsselung faktisch unmöglich ist. Dieser Master-Key ist individuell und wird nur nach erfolgreichem Zahlungseingang übertragen womit auch ihre Daten wieder vollständig entschlüsselt werden. Informationen zu Bitcoin sowie zu deren Beschaffung finden Sie im Internet. In Österreich können sie außerdem sog. BITCOINBON an zahlreichen Verkaufsstellen erwerben, womit Sie unkompliziert BITCOIN für Bargeld kaufen können. Weitere Informationen auf bitcoinbon.at Sollte innerhalb von 5 Tagen keine Zahlung auf unten genannte Adresse eingehen, werden ALLE verschlüsselten Dateien kommentarlos gelöscht. BEDENKEN SIE: Wird die Software gelöscht oder leiten Sie anderweitig Gegenmaßnahmen ein, gibt es KEINE Möglichkeit mehr, Ihre Daten zu entschlüsseln, auch wenn die Software unter Umständen enfernt wird. Sobald die Zahlung getätigt wurde, klicken Sie bitte auf den Button und alle Dateien vollständig entschlüsselt. Anschließend entfernt sich die Software rückstandsfrei.
.Fun ransomware provides a list of encrypted files:
Here is another ransomware infection based on the source code of jigsaw ransomware. This variant adds the “.To unlock your files send 0.15 Bitcoins to 1P67AghL2mNLbgxLM19oJYXgsJxyLfcYiz within 24 hours 0.20 after 24 hours” extension to encrypted files.
Ransom note in a pop-up:
YOUR COMPUTER HAS BEEN ENCRYPTED YOU MUST PAY .25 BITCOINS WITHIN 24 HOURS OR .35 AFTER 24 HOURS AFTER 48 HOURS YOUR COMPUTER WILL BE DESTROYED IF YOU HAVE NOT PAID HACKED YOU BITCOIN PAYMENT ADDRESS IS: 18zvwScQrbRH4Uh3C2zSzTmciMe7HYjvX
Here is how files encrypted by this variant appear:
Another variant of Jigsaw ransomware (called Anti-Capitalist Jigsaw) which targets users from France. This variant adds ".fun" file extension and opens a pop-up window:
Text presented within the pop-up (French):
BONJOUR VOUS VENEZ DE VOUS FAIRE HACKER TOUT VOS FICHIERS VONT ENTRE CRYPTER
D UNE MINUTE A L AUTRE.ALORS MERCI DE BIEN VOULOIR SUIVRE LES CONSIGNES
QUE NOUS ALLONS VOUS DONNER A FIN DE RECUPER TOUS LE CONTENU DE VOS DONNEES.
NOUS VOUS RECLAMONS LA SOMME DE 0,095 Bitcoin SOIT 300 EUROS POUR POUVOIR RECEVOIR
QUI DELIVRERA TOUS LES FINCHIERS.VEUILLEZ FAIRE AU PLUS VITE CAR PLUS LE TEMPS PASS
ET PLUS LE PRIX DE LA DELIVRANCE AUGMENTE._
1 file will be deleted
[View encrypted files]
Veuillez regler la somme ici presente 300 a cette adresse bitcoin:
[I made a payment, now give be back my files!]
Update 1 February 2017 - Security researchers from Avast have released a decrypter for Jigsaw ransomware. You can download it HERE.
Screenshot of a folder that contains encrypted files (with added .fun extensions):
File types targeted by this ransomware:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp , .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .Qbw, .QBB, .QBM, .QBI, .QBR , .Cnt, .Des, .v30, .Qbo, .Ini, .Lgb, .Qwc, .Qbp, .Aif, .Qba, .Tlg, .Qbx, .Qby , .1pa, .Qpd, .Txt, .Set, .Iif , .Nd, .Rtp, .Tlg, .Wav, .Qsm, .Qss, .Qst, .Fx0, .Fx1, .Mx0, .FPx, .Fxr, .Fim, .ptb, .Ai, .Pfb, .Cgn, .Vsd, .Cdr, .Cmx, .Cpt, .Csl, .Cur, .Des, .Dsf, .Ds4, , .Drw, .Dwg.Eps, .Ps, .Prn, .Gif, .Pcd, .Pct, .Pcx, .Plt, .Rif, .Svg, .Swf, .Tga, .Tiff, .Psp, .Ttf, .Wpd, .Wpg, .Wi, .Raw, .Wmf, .Txt, .Cal, .Cpx, .Shw, .Clk, .Cdx, .Cdt, .Fpx, .Fmv, .Img, .Gem, .Xcf, .Pic, .Mac, .Met, .PP4, .Pp5, .Ppf, .Xls, .Xlsx, .Xlsm, .Ppt, .Nap, .Pat, .Ps, .Prn, .Sct, .Vsd, .wk3, .wk4, .XPM, .zip, .rar
Screenshot of the JigSaw decrypter:
Victims should perform the following steps before using the decrypter:
1. Launch Task Manager (ctrl+alt+delete and choose Task Manager) and disable processes named "Firefox":
2. Select the "Startup" tab and disable the "Firefox" startup entry:
After this procedure, you should download the Jigsaw decrypter, launch it, select your hard drive and click "Decrypt My Files".
Video showing how to decrypt files compromised by .Fun ransomware:
Update November 20, 2019 - Emsisoft has recently released a decryption tool capable of restoring data encrypted by various Jigsaw ransomware's variants. You download the decryptor by clicking this link and you can find detailed information in this article.
Screenshot of Emsisoft's Jigsaw ransomware decryptor:
.Fun ransomware removal:
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
- What is .Fun?
- STEP 1. .Fun virus removal using safe mode with networking.
- STEP 2. .Fun ransomware removal using System Restore.
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Log in to the account infected with the .Fun virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window, click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the .Fun ransomware virus infiltrating your PC).
6. In the opened window, click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining .Fun ransomware files.
To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of .Fun are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.
To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.
To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as .Fun ransomware.)
HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:
Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:
- The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.
Other tools known to remove .Fun ransomware: