Jigsaw Ransomware Reappears as Bitcoin Stealer

July 27, 2018


Jigsaw, an outdated ransomware, has reemerged as a bitcoin moocher. This repetition of Jigsaw (spotted by Trend Micro as RANSOM_JIGSAW.THGBDAH) is also called Bitcoin Moocher via strings inserted in the malware’s code. The malware steals the subjects of the sufferer’s bitcoin wallet by using an open-source command-line tool (VanityGen) to change the sufferer’s bitcoin address to sidetrack its subjects to the cybercriminal’s account.

The subtle change can mislead sufferers into believing that the cybercriminal and sufferer’s bitcoin addresses are similar. It does this by utilizing VanityGen to change the bitcoin address in clipboards.

As per the scientists, the cybercriminals have already earned 8.4 bitcoins (US$66,807 as of July 24, 2018) utilizing the repurposed malware. They also viewed similar cryptocurrency address-modifying facilities advertised in dark web forums and websites.

[From TrendLabs Safety Intelligence Blog: Technical analysis of the first form of the Jigsaw ransomware]

Jigsaw Ransomware

Appearing as a file-encrypting malware in April 2016, Jigsaw forced sufferers into paying the ransom by fixing a time limit and incrementally erasing files. It has since developed and seasoned, using methods and business patterns that comprised including live conversation support and refurbishing its ransom notes (e.g., utilizing pictures from the Saw films and Unknown) and calls.

Provided that Jigsaw’s source code has long been obtainable electronically, it’s predictable that cybercriminals reused it into a malware that cashes in on cryptocurrency’s reputation. And Jigsaw is not the only one to adjust to the times.

A current instance is the Rakhni trojan, which can convey either a ransomware or cryptocurrency-mining malware dependent on the affected system’s formations. Trickbot, originally called an information moocher, included screen-locking capabilities usually linked with ransomware. Cerber ransomware also increased cryptocurrency thievery to its habits. Cybercriminals also utilized infamous exploits such as EternalBlue to mine cryptocurrency. In 2017, cryptocurrency mining was the most spotted network event in appliances linked to home routers.