Jigsaw (ransomware)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Jigsaw ransomware.png
Technical nameBitcoinBlackmailer
Written inEnglish

Jigsaw is a form of encrypting ransomware malware created in 2016. It was initially titled "BitcoinBlackmailer" but later came to be known as Jigsaw due to featuring an image of Billy the Puppet from the Saw film franchise.[1] The malware encrypts computer files and gradually deletes them unless a ransom is paid to decrypt the files.[2]


Jigsaw was designed in April 2016 and released a week after creation.[1] It was designed to be spread through malicious attachments in spam emails.[3] Jigsaw is activated if a user downloads the malware programme which will encrypt all user files and master boot record.[4] Following this, a popup featuring Billy the Puppet will appear with the ransom demand in the style of Saw's Jigsaw (one version including the "I want to play a game" line from the franchise) for bitcoin in exchange for decrypting the files.[5] If the ransom is not paid within one hour, one file will be deleted.[5] Following this for each hour without a ransom payment, the amount of files deleted is exponentially increased each time from a few hundred to thousands of files until the computer is wiped after 72 hours.[2] Any attempt to reboot the computer or terminate the process will result in 1,000 files being deleted.[5] A further updated version also makes threats to dox the victim by revealing their personal information online.[6]

Jigsaw activates purporting to be either Firefox or Dropbox in task manager.[2] As the code for Jigsaw was written within the .NET Framework, it can be reverse engineered to remove the encryption without paying the ransom.[2]


The Register wrote that "Using horror movie images and references to cause distress in the victim is a new low."[1] In 2017, it was listed among 60 versions of ransomware that utilised evasive tactics in its activation.[7]


  1. ^ a b c "Saw-inspired horror slowly deletes your PC's files as you scramble to pay the ransom". The Register. Retrieved 2018-02-20.
  2. ^ a b c d Osborne, Charlie (2016-04-22). "Tick, tock: Jigsaw ransomware deletes your files as you wait". ZDNet. Retrieved 2018-02-20.
  3. ^ "Jigsaw ransomware: Saw-inspired malware deletes files bit by bit hourly until you pay". International Business times. 2016-04-14. Retrieved 2018-02-20.
  4. ^ "Jigsaw ransomware wants to play a game with you". Geek.com. 2016-04-13. Retrieved 2018-02-20.
  5. ^ a b c "Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom". Bleeping Computer. 2016-04-11. Retrieved 2018-02-20.
  6. ^ Goodin, Dan (2016-06-28). "Meet Jigsaw, the ransomware that taunts victims and offers live support". Ars Technica. Retrieved 2018-02-20.
  7. ^ "Minerva Labs Releases Evasive Malware 2017 Year in Review". Prnewswire.com. 2017-12-07. Retrieved 2018-02-20.