Jigsaw is a Windows ransomware family created in 2016, initially titled BitcoinBlackmailer and later widely known as Jigsaw because it displays imagery of Billy the Puppet from the Saw film franchise. It is a .NET malware family, with analyzed samples obfuscated using Confuser, that encrypts victim files and appends the .fun or .FUN extension. It presents a ransom window themed around Saw, including taunting messages such as “I want to play a game with you,” and uses psychological pressure by threatening escalating file deletion over time. Reported behavior includes deleting a few files in the first 24 hours, a few hundred on the second day, a few thousand on the third day, deleting 1,000 files after a reboot, and ultimately deleting all files after 72 hours if payment is not made. Initial ransom demands reported in the content were $20 in Bitcoin, increasing over time up to $150 after 72 hours. Trend Micro researchers also reported that Jigsaw later added live support to help victims obtain bitcoin for payment.
In analyzed executions, Jigsaw copies itself into %APPDATA% as drpbx.exe and also copies a window-form component as firefox.exe. The ransom interface allows victims to view encrypted files and includes a decryption button that attempts to contact a command-and-control server to query a decryption key. Infections described in the content came from downloads hosted on 1fichier.com and from pornography websites, including a themed variant whose ransom message stated, “YOU ARE A PORN ADDICT. STOP WATCHING SO MUCH PORN. NOW YOU HAVE TO PAY,” and replaced the Billy image with pink flowers.
The content highlights that Jigsaw was poorly implemented: the encryption key was hardcoded in the binary/source code, enabling recovery through reverse engineering without paying. The source also reportedly exposed 100 Bitcoin wallet addresses intended for ransom payments. The malware is therefore notable both for its coercive deletion threats and for weak key management that enabled free decryption. The content also notes that public reporting and government advisory material have observed threat actors possessing or using publicly available encryption tools including Jigsaw.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
10 distinct techniques documented for this family, organized by ATT&CK tactic.
But as the hours tick by, the malware will begin to delete files – first only a few, but the number will rise, as will the ransom needed to unencrypt them. After 72 hours, all of the files on the target computer will be deleted.
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a previous ransomware example for comparison with WannaCry's TOR-based C2 design.
Ransomware written in .NET that encrypts files, appends the .fun extension, gradually deletes files, displays a ransom note themed around the Saw franchise, and queries a C2 server for a decryption key. The sample copies itself into %APPDATA% as drpbx.exe and firefox.exe. The analysis notes a critical design flaw: the encryption key is hardcoded in the binary, enabling recovery through reverse engineering.
DOWNLOAD FREE JIGSAW RANSOMWARE DECRYPTION TOOL
Jigsaw is mentioned only as another ransomware allegedly created by the same author, iCoreX.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.