.Game File Virus (Jigsaw) – Remove and Restore Files

.Game File Virus (Jigsaw) – Remove and Restore Files

This article will help you to remove the Jigsaw ransomware completely. Follow the ransomware removal instructions given at the bottom of the article.

The .Game File Virus is in actuality Jigsaw ransomware. The cryptovirus is back with a new picture and ransom screen, along a new ransom message. Although it differs a bit compared to past variants, it is based on the code of the original malware. The virus has a list with over 120 file extensions that seeks to encrypt. All of the locked files will get the extension .Game appended to them.

Threat Summary

Name.Game File Virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware will encrypt your files and display a screen with the ransom note, which is themed around the movie “IT” and a character written by Stephen King.
SymptomsThe ransomware will encrypt files by placing the .Game extension to all of them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .Game File Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .Game File Virus.

.Game File Virus (Jigsaw) – Update July 2018

A variant of the .Game File Virus has been spotted by malware researchers in July, 2018. You can preview the sample posted on the VirusTotal service in the below screenshot:

As you can see above, multiple security engines are already detecting the threat.

The new variant encrypts files and places another extension to them (compared to the .Game File Virus), which is .beep. That version is not only decryptable, but you can also unlock your PC and file data by putting in the correct unlock key listed in the box down here:


If you enter the code incorrectly you will get a message saying: “Wrong key! Try again!

In the above screenshot, you can see the screen and picture that show for entering the decryption key incorrectly (on the left), and how the screen and picture change if you entered the correct key in the appropriate field (on the right). The images with the clown featured on the right corner of the screen are both animated gif images that have the same theme as the main one.

.Game File Virus (Jigsaw) – Spread

Jigsaw ransomware could infect computers using different methods for spreading that infection. Spam e-mails could be spreading its payload dropper. Those types of emails will try to convince you that something important is attached as a file to that e-mail. In actuality, the attachment will look like a legitimate document or one that is archived, but it is a file containing a malicious script. If you open that file, it will launch the payload for the ransomware. You can preview the analysis of one such file on the VirusTotal service:

Jigsaw ransomware might be using other methods for spreading, like putting the payload file dropper via social media and file-sharing sites. Freeware applications which roam the Internet could be presented as useful but also could hide the malicious files of this virus. Refrain from opening files after you download them, especially if they come from unverified sources, such as links and e-mails. First, you should scan these files with a security tool, and also make sure to check their sizes and signatures for anything that seems unusual. You should read the ransomware preventing tips topic in the forum.

.Game File Virus (Jigsaw) – Description

The Jigsaw ransomware ransomware virus is back with this new variant. This time the theme is based around the Stephen King’s character Pennywise the Clown seen in the original “IT” movie. That makes it somewhat different compared to the original Jigsaw ransomware virus.

When the Jigsaw virus is initialized, it could modify an existing entry in the Windows Registry or create a new one to achieve a higher level of persistence. That registry entry makes the malware to automatically execute with each launch of the Windows operating system.

Next, a window will pop-up on your screen that shows the Pennywise character and text being typed out with green letters. That text is the ransom message with information and instructions for payment.

The text of the ransom note reads:

Your personal files are being deleted. Your photos, videos, documents, etc…
But, don’t worry! It will only happen if you don’t comply.
However I’ve already encrypted your personal files, so you cannot access them.
Every hour I select some of them to delete permanently, therefore I won’t be able to access them, either.
If you turn off your computer or try to close me, when I start next time you will get 1000 files deleted as a punishment.
Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you.
Meanwhile….. You want a balloon? Hahahahaha_

The Jigsaw ransomware scares you that it will delete files from your computer every time you try to close it and that there is nothing else that you can do to prevent that. However, that is a lie. But you should NOT under any circumstances pay any ransom sum as the note is lying to you about the decryption as well – the virus remains decryptable. Supporting cybercriminals is a bad idea as that will only motivate them to do more criminal acts.

.Game File Virus (Jigsaw) – Encryption Process

The list is with a little over than 125 file extensions that will become encrypted. The full list is the following:

→.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip

The list with file extensions for encryption is around the number of 127 but it could have been updated with more than that. The encrypted files will have the .Game extension appended to all of them, after their file name. The extension .Beep might still be appended in some variants of the ransomware a bit older than the current one.

The Jigsaw ransomware is very likely to erase all Shadow Volume Copies from the Windows operating system, in order to make the encryption process more viable. The command for that is the following:

→vssadmin.exe delete shadows /all /Quiet

A decryption tool developed by the malware researcher Michael Gillespie is available for you to try out. Since this variant is new, the decrypter might not work yet, but you should definitely consider running it. You can find it in the bottom of the article.

Remove Jigsaw Virus and Restore .Game Files

If your computer got infected with the Jigsaw ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share