jigsaw

Jigsaw is a ransomware family first observed in April 2016, notorious for its psychological intimidation tactics. It encrypts files using AES encryption and appends various extensions (e.g., .fun, .kkk, .btc) depending on the variant. The ransomware’s ransom note features imagery of the “Billy” puppet from the Saw movie franchise and displays a countdown timer. Jigsaw is unique in that it deletes a portion of the victim’s files every hour until the ransom is paid, escalating the number of deletions over time to increase pressure. The note typically instructs victims to pay in Bitcoin via email communication. The malware is written in .NET, and numerous versions have circulated since its emergence, many of which are decryptable due to coding flaws. Jigsaw has mainly been spread via malicious email attachments and exploit kits. While it had a period of high activity in 2016–2017, most modern antivirus tools can easily detect and block it.