Free Jigsaw Decryption Tool Now Available Thanks to Check Point's Research - How to, Technology and PC Security Forum |

Free Jigsaw Decryption Tool Now Available Thanks to Check Point’s Research

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

ransomware-encryption-decryption-key-2-stforum Since its first appearance in April this year, the operators of Jigsaw crypto virus have released other variants (Epic ransomware, Payms ransomware) besides the original version appending .fun, .kkk, .btc extensions. If you have been victimized by any of Jigsaws’s versions, you will be happy to know that a way to decrypt files encrypted by Jigsaw has been identified by researchers at security firm Check Point. Scroll down to see where to get the free Jigsaw decryption tool.

How Did Jigsaw Ransomware Function?

The original Jigsaw was mostly known for the deletion of encrypted files. The victim was asked to pay around 0.4 Bitcoins or 150 US dollars within one hour. If you they didn’t comply – every hour encrypted files would get deleted and after three days, all files would be erased.

The ransomware employed the AES encryption algorithm, and appended .fun, .btc and .kkk extensions. In case the user restarted their computer, at least 1,000 of the encrypted files would end up being deleted from disk drives.

Related: Ransomware Encryption Explained

Shortly after the crypto virus’s premiere on the malware scene, security researchers were able to create a working and free Jigsaw decrypter. However, the decryption tool stopped performing properly because the ransomware operators started updating their code regularly, making it more sophisticated. Jigsaw quickly became one of the most updated threats on the current malware market, with new versions emerging every week.

How Did Check Point’s Researchers Establish a Free Jigsaw Decryption Tool?

While investigating the latest Jigsaw Ransomware variant (SHA256: 61AA800584B170FFE9959ACD057CCAF784BF3088E1D3AAB39D07C0793F6C03DF) and its false claims to steal users’ credentials and Skype history, we came across the mechanism the ransomware uses to check whether payments have been made.

According to the researchers, a weakness has been identified not in the encryption process itself but in the way Jigsaw handles the ransom payment. Unlike most ransomware pieces, Jigsaw doesn’t use a Tor-based website but just prints a Bitcoin wallet address on the user’s PC via a specific ransom note. Once a payment is made, the user is prompted to press the “I made a payment, now give me back my files!” button. By pressing the button, the victim initiates a request from their PC to an online API that makes sure that a payment is successfully transferred to the given Bitcoin wallet.

What Check Point researchers did was create a tool that intercepts and imitates a positive API response. This is how Jigsaw “thinks” that a payment has been made while in reality it hasn’t, and as a result the decryption process is initiated. The process should end with the successful encryption of all compromised files, and auto-deleting the threat from the victimized machine.

Where Can Jigsaw Ransomware Victims Get the Decryption Tool?

The Jigsaw decryption tool can be downloaded from Check Point’s page.

Here is a short user manual on how to use it:

1.Unpack the file.
2.In the Jigsaw Puzzle Solver folder, right click ‘JPS.exe’ and click ‘run as administrator’.
3.Follow the instructions displayed on the screen.

The working decryption method appears to have been originally disclosed by Peter Kleissner in a tweet from last week, Softpedia points out.


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share