back to article Saw-inspired horror slowly deletes your PC's files as you scramble to pay the ransom

A new strain of ransomware is adding psychological tactics to its code to try and extort money faster, borrowing from cult horror film franchise Saw. The Windows malware, dubbed BitcoinBlackmailer.exe or JIGSAW, follows the usual practice of encrypting the victim's files, and adding a .FUN extension for giggles. A popup screen …

  1. J. R. Hartley Silver badge

    Shitting crikey

    Evil genius

    1. Bob Vistakin

      Without the in-your-face dramatics

      Microsoft are nevertheless doing something very similar - the end goal being to hold you to ransom. As time passes, they turn up the aggression.

      1. Trevor_Pott Gold badge

        Re: Without the in-your-face dramatics

        It's not evil when corporations or governments do it.

        Now back to work, prole!

  2. Stevie Silver badge


    If all the files have been deleted, what's the incentive to pay the increased ransom?

    Was this malware sent by Doug and Dinsdale Piranha?

  3. Coen Dijkgraaf


    Now they have shot themselves in the foot. The Movie industry will now send their lawyers after them due to breach of copyright.

    1. raving angry loony

      Re: Copyright

      Not before they hire them. After all, that's what the movie industry today does isn't? Incompetently evil plans followed by flurries of legal action when their plans fail?

    2. Anonymous Coward
      Anonymous Coward

      Re: Copyright

      and when them law hounds are unleashed... Tick tock, tick tock, are you going to watch yourself die here today, or do something about it?

  4. Anonymous Coward

    What's more shocking though...

    Is that a lot of those ransomware viruses get spread through none other than advertisements. Obviously compromised advertisement sources, but none the less: the culprit didn't have much chance on clients which used an AdBlocker of some sorts. And it makes perfect sense too: if you manage to compromise such an ad source then you'll automatically target several websites at once. Win-win.

    This happened a few weeks ago in Holland where dozens of very well known newspaper and media sites turned out to be the (temporary) distributors of such a notorious ransomware virus. And to add insult to injury some of those sites even used "adblock warnings". You know: you enter the site and you're alerted that you're using an ad blocker and are also requested to turn it off.

    So basically, during the time of the virus, the sites themselves helped to actively spread it. Provided someone actually followed up on the "adblock disable advice" of course.

    Which is why I think that ad blockers should be considered security software: worthy extensions of virus scanners and other tools to block nasty things from happening on your PC. Ask yourself this: what's more worth to you: the security of your computer or the revenue of a 3rd party? The problem should be obvious: you may consider said 3rd party as a trusted source, but even if you do you'll have no way of knowing where all the advertisements will be coming from.

    1. Bronek Kozicki Silver badge

      Re: What's more shocking though...

      In other news: online advertising firm publishes "report" claiming that "ad-blockers break the Internet", and then sends it to mainstream media which dutifully repeats the claim.

      None of them will stop and think for a minute about security implications of disabling ad-blockers.

      1. VinceH

        Re: What's more shocking though...

        From the piece:

        "Like regular users when we come across missing sections or errors on a website, we assume the site is simply broken. However, we forget or don't realize that our adblocker can be the culprit not the website we are visiting, and what do we do? - Go somewhere else, get frustrated, complain?"

        Here, they seem to be suggesting that some websites are 'broken' by ad blockers, and that the sites themselves are not broken. It seems to me, however, that the sites themselves are very much broken if this happens, and the ad blockers are merely highlighting the fault.

        Either way, it's just scare tactics. They may as well have added "think of the children" and claimed that some of these broken websites were sites for kids. And they surely missed a trick by not calling developers of ad blockers terrorists.

        Incidentally, NoScript blocked the header image on that page from displaying - wondering why Javascript was needed for that, I checked. It's not an image but an 8 megabyte MP4.

      2. Anonymous Coward
        Anonymous Coward

        Re: What's more shocking though...

        an interesting take on indvidual's sense of humour...

      3. Anonymous Coward
        Anonymous Coward

        Re: What's more shocking though...

        uh, I dunno...

    2. Triggerfish

      Re: What's more shocking though... @ShelLuser

      You know before I got to the bottom of your comment I was thinking how I already consider ad blockers part of my security suite, have an upvote.

    3. rcoffman3

      Re: What's more shocking though...

      Good point turning off adblocker is dangerous because these days even hovering over an ad doesn't necessarily mean what you see is what you get and that the ad you are clicking on is not being redirected to another site without your knowledge.

  5. MrDamage

    what happens

    If you just keep setting the clock back a few hours while you dig through the source looking for the key?

    1. Andy Non Silver badge

      Re: what happens

      The software probably keeps track of the system time (every second) and if the clock goes backwards does more nasty stuff. It is standard to include a feature in time limited (30 day free trial) software to check for system date tampering and if found terminate the free/temporary licence.

    2. rcoffman3

      Re: what happens

      It's got a timer built into the payload, iirc it also displays a countdown timer on the screen letting you know that it is keeping track of time before the next payload executes.

  6. This post has been deleted by its author

  7. Anonymous Coward
    Anonymous Coward

    Is it called "akonadiserver"?

    Seeing how my this is thing is burning the CPU for no good reason and I can't kill the process because that will forever mangle the database used by KDE PIM, I suspect the same programmers are at work.

    1. Anonymous Coward

      Re: Is it called "akonadiserver"?

      How do you manage to get a Windows executable, BitcoinBlackmailer.exe to run on your KDE PIM.

      1. Pascal Monett Silver badge

        Simply because he's that good.

      2. mythicalduck

        Re: Is it called "akonadiserver"?

        How do you manage to get a Windows executable, BitcoinBlackmailer.exe to run on your KDE PIM

        Well, it said in the article it was written in .NET, so I assume by installing mono?

  8. Known Hero

    So it looks like Utah Law Makers have a sense of humor ?!

  9. Alan Ferris

    Incomplete reporting

    Which porn sites are affected?

    Asking for a friend

    1. Destroy All Monsters Silver badge

      Re: Incomplete reporting

      I don't know, I have tested all the known ones and they were all good.

    2. Aodhhan

      Re: Incomplete reporting

      I went to all of my favorite sites and didn't have a problem. I compiled a list to send you.

      ...crap, never mind. I can't seem to find it now.

  10. Duffaboy

    I think the first file it deletes is.

    The Audio driver..

  11. x 7

    when the bastard behind this is caught he should be strapped to a saw bench and treated to the effects of a real rotary woodsaw

    1. hj

      Of course he should be able to stop it by chopping of his own hands? (yes, both of them)

  12. Anonymous Coward
    Anonymous Coward


    This isn't Saw inspired.

    If it was the victims would have dig the decryption keys out of a dead mans stomach or be forced to crawl through bleach covered barbed wire to get the keys.

    If the day comes that you wake up chained to the toilet from trainspotting, next to a hammer drill with a thumb drive forced into your skull with the decryption keys on after visiting a nefarious site, only then can we call it "saw inspired".

    Incidentally, this might be useful way to 'inspire' sysadmins into setting up proper backups.

    "Hello Dilbert, you've been living your life very precariously with your half cocked backups and flimsy DR plan. This is generally unacceptable behaviour. As a result, I have set up this game for you to help you understand the error of your ways. Next to you is Diane from accounts, she opened up an attachment with a toxic payload that came from an unknown source and got through your puny mail filtering rules, she is alive but heavily sedated. Next to her is the lid off a toilet cistern. I have embedded a thumb drive with the decryption keys to retrieve all of your data somewhere inside this woman. You have two options, gnaw your own arm off to escape to an almost certain sacking or extract the drive using the tool provided, take responsibility like a man or throw your colleague under the bus, make your choice."

    *Cue music*

    1. Alumoi

      Re: Meh

      Simon, is that you?

  13. Aodhhan

    Apparently this attack is aimed at everyone who isn't computer security savvy, and isn't too lazy to do some simple research to get the key. Also, asking for only $20 dollars tells me the motivation wasn't to get wealthy; rather, to make a statement.

    Wouldn't mind doing a binary disassembly on this to find out if the first round or two of deletions are aimed at something specific to get your attention but something you could easily download and replace, such as Steam files.

    1. rcoffman3

      Re: what happens

      You didn't read the article it's $150 and the files deleted likely are random each time so the user wouldn't be able to circumvent the deletion of the files by simply changing the properties of said files by trying to tamper with specific ones.

  14. Anonymous Coward
    Anonymous Coward

    What we need

    Is some good old fashioned death-by-slow-torture for the idiots who write ransomware.

    Add to this my personal favorite, force-feeding a kilo of iron ball bearings then a few hours later strapping them to a MRI gurney and setting the scanner on maximum. Bwahahahaha...

    1. rcoffman3

      Re: What we need

      I would say attach cannon balls to each side of his testicles with hooks going through them for writing and putting something like this out into the wild and trying to extort people for money. Tell him he has a choice he has to either loose his testicles or put his testicles in a vice with the vice clamped down as tight as it will go.. If it sounds harsh I have no sympathy for people that use these kinds of tactics to extort people with money as a motive.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020