Jigsaw Ransomware

Also Known As: Jigsaw virus
Distribution: Low
Damage level: Severe

Jigsaw ransomware removal instructions

What is Jigsaw ransomware?

Jigsaw is ransomware that uses the AES algorithm to encrypt various files stored on computers. Targeted files include .jpg, .docx, .mp3, .mp4, and many others. Depending on the ransomware version, one of the following file extensions is added: ".data", .locked_by_mR_Anonymous(TZ_HACKERS), .spaß, .FuckedByGhost, .#__EnCrYpTED_BY_dzikusssT3AM_ransomware!__#, .lockedgood, .pleaseCallQQ, .hacked.by.Snaiparul, .dat, .tedcrypt, .invaded, .black007, .FuckED, .##___POLICJA!!!___TEN_PLIK_ZOSTA, .coder007@protonmail.com, .choda, .booknish, .hac, .LolSec, .email-[powerhacker03@hotmail.com].koreaGame, .jes, .Bitconnect, .contact-me-here-for-the-key-admin@adsoleware.com, .paymrss, .justice, .LOCKED_BY_pablukl0cker, .CryptWalker, .FUCKMEDADDY, .##ENCRYPTED_BY_pablukl0cker##, .####CONTACT_US_pablukl0cker638yzhgr@2tor.com####, .game, .#, .pablukCRYPT, .pabluk300CrYpT!, .pabluklocker, .afc, .korea, .kill, .rat, .Crypto, .paymts, .sux, .ghost, .R3K7M9, .tax, .lost, .beep, .ice, .die, .PAY, .Contact_TarineOZA@Gmail.com, .getrekt, .lckd, .crypte, .I'WANT MONEY, .nemo-hacks.at.sigaint.org, .jey, .gefickt, .uk-dealer@sigaint.org, .paytounlock, .hush, .locked, .payrmts, .afd, .paybtcs, .fun, .kkk, .gws, or .btc. After encryption, this ransomware displays a window with a message listing the encrypted files and stating that victims can only restore them by paying a ransom. In addition, every sixty minutes, .Fun deletes a certain number of files, thus, putting victims under pressure to pay, since delays result in permanent deletion of more files.

The size of ransom is equivalent to $150 and must be paid in Bitcoins within 24 hours following infection. The ransomware window contains a 60-minute timer, which indicates time remaining until next file deletion. Initially, this ransomware deletes one file, however, after each 60-minute period has elapsed, the number of files targeted for deletion increases. In addition, when the victim restarts the computer or re-executes this ransomware, it deletes a further 1000 files. According to the message, all files will be deleted within 72 hours. As mentioned previously, this ransomware uses AES - an asymmetric encryption algorithm. Thus, public and private keys are generated during encryption. To decrypt their files, victims must supposedly purchase the private key from cyber criminals. Fortunately, MalwareHunterTeamDemonSlay335, and Lawrence Abrams have developed a tool capable of decrypting files compromised by this ransomware (download link). Therefore, there is no need to pay the ransom. It is, however, unlikely that users will be able to restore files affected by ransomware-type viruses without the private key. In this case, you should restore your system and/or files from a backup.

Screenshot of a message encouraging users to contact the developers (waldorftrust@yandex.com) of .Fun (Jigsaw) ransomware to decrypt their compromised data (you can see a picture of Billy the puppet in the background):

.Fun decrypt instructions

This ransomware is very similar to hundreds of other viruses that also encrypt files using an asymmetric encryption including, for example, Locky, Cerber, Locker, CTB-Locker, and CryptoWall. All infiltrate systems, encrypt files, and make ransom demands. The main difference is the type of algorithm used and size of ransom. There is a high probability that your files will not be decrypted even if you pay the ransom. Therefore, never attempt to contact cyber criminals or pay any ransom - this will merely support their malicious businesses. Most ransomware-type malware is distributed via fake software updates, trojans, malicious email attachments, and peer to peer (P2P) networks such as Torrent. Therefore, keep your installed software up-to-date and use a legitimate anti-virus/anti-spyware suite. Additionally, be very cautious when downloading files sent from suspicious/unrecognized emails and third party sources.

A variant of Jigsaw ransomware that adds the .FUCKMEDADDY extension to encrypted files (calls itself "DUPA RANSOMWARE"):

jigsaw ransomware .fuckmedaddy extension

A variant of Jigsaw ransomware that uses ".booknish" extension for encrypted files:

jigsaw .booknish ransomware sample

A variant of Jigsaw ransomware (uses .##ENCRYPTED_BY_pablukl0cker## extensions for encrypted files):

jigsaw  .##ENCRYPTED_BY_pablukl0cker## ransomware sample

A variant of this ransomware using an 'Anonymous' background (uses .fun extension for encrypted files):

jigsaw ransomware anonymous background

A variant of Jigsaw ransomware that uses the .lost extension for encrypted files:

jigsaw ransomware .lost variant

A variant of Jigsaw ransomware uses the ".beep" extension for encrypted files and a clown background. This is what it looks like (GIF):

jigsaw ransomware - .beep extension, clown background variant

Here is a variant of Turkish Jigsaw ransomware - “Ramsey Ransomware”. Appends .ram to encrypted files:

jigsaw ransomware .ram variant Turkish language

A variant of this ransomware using a Joker as a background of its ransom-demand message:

jigsaw (.fun) ransomware using joker background

An updated variant of this ransomware (calls itself variant 4.6):

jigsaw ransomware updated version 4.6

Ransom demand message:

Your computer files have been encrypted. Your photos, videos, documents, etc…
But, don’t worry! I have not deleted them, yet.
You have 24 hours to pay 150 USD in Bitcoins to get the decryption key.
Every hour files will be deleted. Increasing in amount every time.
After 72 hours all that are left will be deleted.

If you do not have bitcoins Google the website localbitcoins.
Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.
Send to the Bitcoins address specified.
Within two minutes of receiving your payments your computer will receive the decryption key and return to normal.
Try anything funny and the computer has several safety measures to delete your files.
As soon as the payment is received the crypt files will be returned to normal.

Thank you.

Another variant of Jigsaw ransomware - uses a different ransom message background (flowers) and text:

jigsaw ransomware variant 2

Text presented in this variant of Jigsaw ransomware:

I want to play a game with you. Let me explain the rules: All your files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access them. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when I start next time you will get 1000 files deleted as a punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together!

A variant of this ransomware using a skull image - "ewsc77@mail2tor.com" email address, adds ".I'WANT MONEY" to encrypted files:

jigsaw ransomware skull version

Yet another variant of this ransomware (uses a different background image):

jigsaw ransomware new background 2 jigsaw ransomware new backround 1

Update 1 June, 2016 - Cyber criminals have updated Jigsaw ransomware. It now adds the .paybtcs extension to encrypted files. Below is a screenshot of a website used for communication between victims and cyber criminals:

updated jigsaw ransomware adds .paybtcs extension

Update 6 June, 2016 - Cyber criminals have released a new variant of this ransomware. It targets computer users from Germany and adds the “.AFD” extension to encrypted files. Below is a ransom-demand message from this variant:

Guten Tag,
bedauerlicherweise müssen wir Ihnen mitteilen, dass ihre persönlichen Daten vollständig nach AES-256 Standard verschlüsselt wurden. Der AES-256 Standard gehört zu den sichersten Verschlüsselungs - Algorithmen und wird unter anderem auch vom U.S. Militär verwendet. Eine Entschlüsselung Ihrer Dateien kann ausschließlich mit einer Zahlung von    250€   in Form von BITCOIN an unten stehende Adresse erfolgen. Gerne können Sie weitere Informationen einholen, Sie werden schnell erkennen, dass ohne einen sogenannten Master-Key eine Entschlüsselung faktisch unmöglich ist. Dieser Master-Key ist individuell und wird nur nach erfolgreichem Zahlungseingang übertragen womit auch ihre Daten wieder vollständig entschlüsselt werden. Informationen zu Bitcoin sowie zu deren Beschaffung finden Sie im Internet. In Österreich können sie außerdem sog. BITCOINBON an zahlreichen Verkaufsstellen erwerben, womit Sie unkompliziert BITCOIN für Bargeld kaufen können. Weitere Informationen auf bitcoinbon.at Sollte innerhalb von 5 Tagen keine Zahlung auf unten genannte Adresse eingehen, werden ALLE verschlüsselten Dateien kommentarlos gelöscht. BEDENKEN SIE: Wird die Software gelöscht oder leiten Sie anderweitig Gegenmaßnahmen ein, gibt es KEINE Möglichkeit mehr, Ihre Daten zu entschlüsseln, auch wenn die Software unter Umständen enfernt wird. Sobald die Zahlung getätigt wurde, klicken Sie bitte auf den Button und alle Dateien vollständig entschlüsselt. Anschließend entfernt sich die Software rückstandsfrei.

.Fun ransomware provides a list of encrypted files:

List of files encrypted by .Fun

Here is another ransomware infection based on the source code of jigsaw ransomware. This variant adds the “.To unlock your files send 0.15 Bitcoins to 1P67AghL2mNLbgxLM19oJYXgsJxyLfcYiz within 24 hours 0.20 after 24 hours” extension to encrypted files.

jigsaw HACKED your computer has been encrypted version

Ransom note in a pop-up:

YOUR COMPUTER HAS BEEN ENCRYPTED YOU MUST PAY .25 BITCOINS WITHIN 24 HOURS OR .35 AFTER 24 HOURS AFTER 48 HOURS YOUR COMPUTER WILL BE DESTROYED IF YOU HAVE NOT PAID HACKED YOU BITCOIN PAYMENT ADDRESS IS: 18zvwScQrbRH4Uh3C2zSzTmciMe7HYjvX

Here is how files encrypted by this variant appear:

jigsaw HACKED you computer has been encrypted version (encrypted files)

Update 1 February 2017 - Security researchers from Avast have released a decrypter for Jigsaw ransomware. You can download it HERE.

jigsaw ransomware decrypter by avast

Screenshot of a folder that contains encrypted files (with added .fun extensions):

Files encrypted by .Fun ransomware

File types targeted by this ransomware:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp , .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .Qbw, .QBB, .QBM, .QBI, .QBR , .Cnt, .Des, .v30, .Qbo, .Ini, .Lgb, .Qwc, .Qbp, .Aif, .Qba, .Tlg, .Qbx, .Qby , .1pa, .Qpd, .Txt, .Set, .Iif , .Nd, .Rtp, .Tlg, .Wav, .Qsm, .Qss, .Qst, .Fx0, .Fx1, .Mx0, .FPx, .Fxr, .Fim, .ptb, .Ai, .Pfb, .Cgn, .Vsd, .Cdr, .Cmx, .Cpt, .Csl, .Cur, .Des, .Dsf, .Ds4, , .Drw, .Dwg.Eps, .Ps, .Prn, .Gif, .Pcd, .Pct, .Pcx, .Plt, .Rif, .Svg, .Swf, .Tga, .Tiff, .Psp, .Ttf, .Wpd, .Wpg, .Wi, .Raw, .Wmf, .Txt, .Cal, .Cpx, .Shw, .Clk, .Cdx, .Cdt, .Fpx, .Fmv, .Img, .Gem, .Xcf, .Pic, .Mac, .Met, .PP4, .Pp5, .Ppf, .Xls, .Xlsx, .Xlsm, .Ppt, .Nap, .Pat, .Ps, .Prn, .Sct, .Vsd, .wk3, .wk4, .XPM, .zip, .rar

Screenshot of the JigSaw decrypter:

.Fun ransomware decrypter

Victims should perform the following steps before using the decrypter:

1. Launch Task Manager (ctrl+alt+delete and choose Task Manager) and disable processes named "Firefox":

Eliminate .Fun ransomware in task manager

2. Select the "Startup" tab and disable the "Firefox" startup entry:

Disable .Fun ransomware startup

After this procedure, you should download the Jigsaw decrypter, launch it, select your hard drive and click "Decrypt My Files".

Video showing how to decrypt files compromised by .Fun ransomware:

.Fun ransomware removal:

Instant automatic removal of Jigsaw virus: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Jigsaw virus. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the .Fun virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the .Fun ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining .Fun ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of .Fun are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by .Fun, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as .Fun ransomware.)

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove .Fun ransomware: