Jigsaw Ransomware - How to remove

Jigsaw Ransomware is a serious infection that can infiltrate into your system without you noticing, lock your files and try pushing you into paying money. It usually asks around $150 in Bitcoins and claims that this is the only way to get your files back. Clearly if your important files were locked, you will do whatever it takes to get them back. However, if it’s Jigsaw Ransomware, be very careful. Even after paying, there are no guarantees that you will get a decryption key. Therefore, we strongly recommend restoring your files from a back up and removing Jigsaw Ransomware as soon as possible.

It is also recommended to scan your system wit ha reputable anti-malware program, like Spyhunter or StopZilla to make sure your system is clean. These programs will also protect your system from similar infections.

About Jigsaw Ransomware

Once installed, Jigsaw Ransomware scans your system and looks for certain extensions to encrypt your files. Usually it targets files with the following extensions: .gif, .png, .bmp, .pdb, .sql, .php, .asp, .swf, .xml, .ppsm, .asx, .mpg, .wmv, .vob, .m4u, .xlsb, .raw, .png, .java, .jar, .class, .doc, .docx, .ppt, .xpm, .zip, and and others. Then it changes the names of your files and ads .fun extension to them, so they become .gif.fun, .png.fun, etc. Sometimes, other extensions are used as well (.btc, .gws or .kkk). Then Jigsaw Ransomware displays a message that looks like this:

Your computer files have been encrypted. Your photos, videos, documents, etc….
But, don’t worry! I have not deleted them, yet.
You have 24 hours to pay 150 USD in Bitcoins to get the decryption key.
Every hour files will be deleted. Increasing in amount every time.
After 72 hours all that are left will be deleted.
If you do not have bitcoins Google the website localbitcoins.
Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.
Send to the Bitcoins address specified.
Within two minutes of receiving your payment your computer will receive the decryption key and return to normal.
Try anything funny and the computer has several safety measures to delete your files.
As soon as the payment is received the crypted files will be returned to normal.
Thank you

As you see, it claims that you have 24 hours to pay a ransom or the amount of it will be increased. It also starts deleting your files if you don’t pay within 24 hours. If you don’t do it in 72 hours, the program claims that your files will be deleted for good. It sound really scary, especially if Jigsaw Ransomware locks important data. However, you should not rush to pay, as it doesn’t guarantee that your files will be unlocked. We highly recommend restoring your files from a back up and removing Jigsaw virus.

Note, that if you REBOOT your PC, 1000 files will be deleted at once. Thus if you turned your computer down, don’t boot it without good enough plan.

Jigsaw ransomware special removal steps

1. Press Ctrl+shift+esc

2. Terminate Firefox.exe, drpbx.exe task ( if you use Mozilla Firefox for browsing and it closes, you can run it later on or use other browser temporarily).

3. Delete the files or scan your PC with Spyhunter, Malwarebytes to identify and remove the parasites.

4. Download and run Jigsaw virus decrypter . Follow instructions.

5. If you haven’t done so, SCAN your PC for downloaders and other parasites that might have caused the ransomware infection. We recommend Spyhunter, Malwarebytes.

Update of the 30th of November, 2016. Jigsaw ransomware was noticed to have been included into the fake version of Electrum Coin Adder application.

Update of the 25th of December, 2016. A new version of Jigsaw crypto-malware adds .hush extension to encrypted data files.

Update of the 30th of January, 2017. A new sample of Jigsaw ransomware virus has been detected. It appends .paytounlock extension. Thankfully, it is not a major threat since people can decrypt their files with a reliable decrypter.

Update of the 6th of February, 2017. Jigsaw introduced two more samples of its infection. It appends either [email protected] extension or .gefickt to the encrypted data. Decrypter has been updated to recover files that have been infected with these variants.

Update of the 13th of March, 2017. A 4.6 version of Jigsaw ransomware has been detected. For now, it does not encode data, but its ransom note, lock-screen and message section is different than it was before.

Update of the 20th of March, 2017. We discovered that once again, a new extension should be listed as belonging to Jigsaw. .nemo-hacks.at.sigaint.org extension is going to be appended by the new sample. Above, you can notice the new lock-screen it displays.

Update of 27th of March, 2017. We have been informed that a new variant of Jigsaw might be emerging. This time, Vietnamese people might be targeted:

However, the news does not here here. New variant of Jigsaw appends a peculiar extension at the end of encrypted data: .To unlock your files send 0.15 Bitcoins to 1P67AghL2mNLbgxLM19oJYXgsJxyLfcYiz within 24 hours 0.20 after 24 hours. This varian also features a screen-locker.

Update of the 10th of April, 2017. We have become aware of another version of Jigsaw. This time around, it appends .I’WANT MONEY extension to the files it ruins. The email address to contact the creators of this variant: [email protected]. There is no need to contact hackers as people can restore their files quite efficiently with the decryptor.

Update of the 18th of April, 2017. Recently, a French sample, belonging to Jigsaw, has emerged. The French version appends .crypte extension to the encoded data. You can see the ransom note it displays:

The news about Jigsaw do not end here. Other samples have been detected and they use a new extension as well: .lcked. Additionally, they display a different picture as the background:

Update of the 24th of April, 2017. Jigsaw virus has been very active in the pats couple of weeks. Now, the Internet has become a host of a new sample of Jigsaw, featuring a picture of the notorious Joker character. The extension appended is .fun.

Update of the 15th of May, 2017. A new variant of Jigsaw was detected in the wild and it uses a .PAY extension.

Update of the 5th of June, 2017. Fresh version of Jigsaw has been noticed and it is connected with the frightening obsession with creepy clowns. This type of clown is presented as the lock-screen. The official decrypter is capable of restoring encrypted files.

Update of the 26th of June, 2017. Jigsaw crypto-virus has introduced a novel sample that encodes files and marks them with a .sux extension.

How to recover Jigsaw Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Jigsaw Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Jigsaw Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Jigsaw Ransomware. You can check other tools here.  

Step 3. Restore Jigsaw Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Jigsaw Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Jigsaw Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal

Removal guides in other languages

3 responses to “Jigsaw Ransomware

  1. What if i just shut down my computer after that scary alert pops up and then boot a Linux Cd to delete this malware?

Leave a Reply

Your email address will not be published. Required fields are marked *