How to Recover Jigsaw Ransomware Files
Jigsaw Ransomware Description and Removal Instructions:
Malware Category: Ransomware
Jigsaw Ransomware is the latest version of Crypto-Ransomware virus. Jigsaw Ransomware targets PCs running Windows OS. However, it will delete a file every 60 minutes if a ransomware of $150 is not paid. Moreover, if the infection is terminated or the computer rebooted, the will delete a 1000 files. Every file that has been encrypted will have its extension changed to: .fun, .KKK, .BTC or .GWS. Fortunately, there is a way of decrypting the files encrypted by Jigsaw Ransomware
When running, Jigsaw Ransomware will start encrypting certain types of files stored on local or mounted network drives using a AES cryptography, with the private key stored only on a control server. The virus will encrypt the following extensions:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp , .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .Qbw, .QBB, .QBM, .QBI, .QBR , .Cnt, .Des, .v30, .Qbo, .Ini, .Lgb, .Qwc, .Qbp, .Aif, .Qba, .Tlg, .Qbx, .Qby , .1pa, .Qpd, .Txt, .Set, .Iif , .Nd, .Rtp, .Tlg, .Wav, .Qsm, .Qss, .Qst, .Fx0, .Fx1, .Mx0, .FPx, .Fxr, .Fim, .ptb, .Ai, .Pfb, .Cgn, .Vsd, .Cdr, .Cmx, .Cpt, .Csl, .Cur, .Des, .Dsf, .Ds4, , .Drw, .Dwg.Eps, .Ps, .Prn, .Gif, .Pcd, .Pct, .Pcx, .Plt, .Rif, .Svg, .Swf, .Tga, .Tiff, .Psp, .Ttf, .Wpd, .Wpg, .Wi, .Raw, .Wmf, .Txt, .Cal, .Cpx, .Shw, .Clk, .Cdx, .Cdt, .Fpx, .Fmv, .Img, .Gem, .Xcf, .Pic, .Mac, .Met, .PP4, .Pp5, .Ppf, .Xls, .Xlsx, .Xlsm, .Ppt, .Nap, .Pat, .Ps, .Prn, .Sct, .Vsd, .wk3, .wk4, .XPM, .zip, .rar
Jigsaw Ransomware will create create help_your_files.html. The file contains instructions explaining how to pay the ransom. On the webpage they can enter their personal code and access the payment page. When Jigsaw Ransomware is initiated on the computer, it will inject deep into the system infecting Explorer.exe and svchost.exe, modify the registry to start with Windows, and disable the Automatic Repair feature. Once active, it will start the processes of encrypting files. These types of ransomware are very hard to detect. Nevertheless, the virus will show its presence after the encryption finishes.
Jigsaw Ransomware will not just encrypt files and block your computer, it will also collect valuable information that will be sent to the control server at: crazytrevor.com and crazytrevor.in. Such software could lead to more malware coming into your computer and even cause a loss of data. Such threats are not to be underestimated!
If you are infected, we at SpywareTechs.com recommend you to download SpyHunter Malware Security Suite in order to remove the infection automatically:
Once you get rid of Jigsaw Ransomware (see how to remove Jigsaw Ransomware in our article), you can try to recover your files using the methods below:
How to Recover Files Encrypted by Jigsaw Ransomware:
You can try to recover your files from a system backup. If there is no backup available, one can try to restore the files using the Shadow Copy Service. Windows XP Service Pack 2 and future versions have an integrated feature called Shadow Copy Service which will automatically create backup copies of your files. This method is not bullet-proof, as Jigsaw Ransomware may delete the shadow copies.
1. How to Restore Files Using the Shadow Copy Service:
Method 1. Using Windows Previous Version tab:
*The Windows System Protection service must`ve been enabled before the infection, otherwise it will not work.
- Right-click on the encrypted file, select Properties from the menu.
- Click on “Previous Version” tab (If missing, this means that Windows System Protection has not been enabled).
- Choose a previous version copy and click on the Copy button. Select a directory you wish to recover the file to, or you can try to restore the selected file, directly, by hitting the Restore button.
The method could be used to recover an entire folder. Just right-click on the highlighted folder and select Properties, and then Previous Version tab.
Method 2. Using Shadow Explorer:
Using Shadow Explorer to restore whole folders. You can download the program from the link below:
Download and run the program. A list of available drives will show up on the left side. Beside it, you will see available dates for created shadow copies. One could select the drive and the date to restore to.
2. How to recover files encrypted by Jigsaw Ransomware using DemonSlay335`s Decryption Tool:
DemonSlay335 from Bleeping Computer and MalwareHunterTeam analyzed the infection and found a way to recover the files. The tool should be able to decrypt files with the extension .fun, .KKK, .BTC or .GWS. Please note that some files may fail to be decrypted.
*Before proceeding with the steps below, please open Task Manager and kill the processes: firefox.exe and drpbx.exe. From MSConfig turn off the startup entry pointing to %UserProfile%\AppData\Roaming\Frfx\firefox.exe.
1. Download JigSawDecrypter.zip from the following link and save it on your desktop:
2. Once you`ve downloaded it, extract the archive and double-click on the JigSawDecrypter.exe to run it.
3. Click on “Select Directory” to select the path.
4. Click on “Decrypt My Files” button to start the decryption. When the process finishes, a message in green “Files Decrypted!” will appear.
Nevertheless, if you want to be protected from Jigsaw Ransomware, get SpyHunter!