Ransomware possibly being used to teach "Ethical" hacking

June 1, 2018

Ransomware has been so rampant that we receive multiple different variants daily. The SonicWall Capture Labs Threat Research Team has recently received a sample of the Jigsaw ransomware and at first glance is not different from any other ransomware. We have been tracking and analyzing this ransomware since we first spotted it in 2016. This newer sample however appears to have added a functionality to communicate to a remote command and control server. We also noticed that this build could have possibly been used as a school project which one might find odd considering how ransomware continues to be lucrative, albeit unethical, business. Are we teaching how to create your own ransomware in school nowadays?

Infection Cycle:

This ransomware arrives in the system pretending to be a PDF file using the following icon:

Upon execution, it copies itself to the following directories as firefox.exe and drpbx.exe:

  • %Appdata%/Frfx/firefox.exe
  • %Appdata%/Drpbx/drpbx.exe

It then sends information such as username and computer name to a remote server:

It then proceeds to encrypt files in the victim’s machine and appends a “.fun” file extension to all encrypted files.

It also creates a file named EncrypteFileList.txt in the root directory that has the list of all files that has been encrypted.

It then displays an image of the fictional character, Jigsaw, reminiscent of the horror movie Saw with the warning and instructions on how to pay the ransom.

It also adds a run key in the registry to ensure persistence in an event of a system reboot.

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run  firefox.exe %Appdata%\Frfx\firefox.exe

Upon further analysis, we also noted references to compiler debugging information in its strings which suggests that this ransomware might have been used as a project for the 6th semester of “Ethical Hacking.”

We are split on “ethics” in terms of the use of this program. Does promoting its use supports this kind of behavior and ultimately makes it even more of a threat for everyone?

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Jigsaw.RSM_16 (Trojan)