Over the past few weeks there has been an uptick on one dark net forum on the selling of the Jigsaw ransomware. Some may know Jigsaw as BitcoinBlackmailer, CrytoHitMan, Invisible Empire, BitcoinStealer, or Epic. A quick look on the online malware analysis site VirusTotal also shows a higher than usual rate of submissions in the past month.
One seller on the dark net forum claims his version is 100% fully undetectable (FUD) and was updated just this month. The seller also claims the ransomware, which can be bought for less than $100US, can be programmed to delete files if the victim turns the computer off or start deleting files every 24 hours if the ransom is not paid. The seller will also include the source code and ask for no cut of the ransom in return.
Another seller of Jigsaw will sell you the ransomware for less than $10US. In return you get a custom built payload and income management and all you have to do is spread the malware using whatever means you have. The kicker is you have to split the ransom 50/50 with the seller.
A third seller appears to be trying to undercut all others and is selling his version for the low price of $5.28US and doesn’t even asks for a cut of the proceeds. The malware is advertised to let you add you own bitcoin address as well as add a custom extension to encrypted files. The seller also claims the ransomware can be installed on a USB key which will detonate and start encrypting files at the time of your choosing. The seller backs up his story by mentioning he was able to infect a computer using his malicious USB stick at a hotel he stayed at which resulted in a successful payment of 10 BTC. If the sellers alleged story is correct then he collected more than $10,000US!
Jigsaw was discovered back in the spring of last year so why are underground sellers offering an old ransomware which is decryptable with a free tool from https://www.nomoreransom.org/? Are we seeing a new updated version which claims that it cannot be decrypted and evades anti-virus or are these advertisements just an attempt to scam the buyer? The latest version of Jigsaw (4.6) was discovered earlier this month but at the time of this writing this version was still in development and does not encrypt a single file.
Regardless of what version these guys are pushing its recommended to never pay the ransom as this only fuels the ransomware market which appears to not be going away anytime soon.