Security researchers from Check Point announced over the weekend that they were able to decrypt Jigsaw ransomware, in its new and older versions.
The Jigsaw ransomware appeared last April, and differed from the other because if the victim did not pay the ransom he began deleting the files from the user's computer.
The researchers they succeeded and developed a Decrypter for Jigsaw ransomware almost immediately after its release, but it stopped working after updates to the ransomware software. It should be mentioned that Jigsaw is one of the most updated ransomware versions at the moment, since new versions are released almost on a weekly basis.
The Check Point team also claims that it has detected a weakness not in the encryption process but in how malware handles the ransom.
While other ransomware use a Tor website to manage payments, Jigsaw only displays a Bitcoin payment address on the victim's computer with a ransom note asking users to click “I made a payment, give back my files! ” since of course they make the payment.
Clicking this button launches a request from the user's computer to an online API that checks whether the payment has been accepted by that Bitcoin address.
Check Point created a tool that mimics a positive response from the API. The tool gives Jigsaw a false API response and ransomware believes that the payment was made, immediately starting the decryption process that ends with unlocking all encrypted files and deleting malicious software from the infected system.
You can download it from the link below.
Instructions for use:
1. Open JPS.zip.
2. In the Jigsaw Puzzle folder Solver, right click on 'JPS.exe' and 'run as administrator'.
3. Follow the instructions.
http://blog.checkpoint.com/files/2016/07/JPS_release.zip