Last seven days
- First activity
- Jul 19, 2026
- Last activity
- Jul 19, 2026
- Feed role
- C2
- Host form
- 1 IP / 0 hostnames
Jigsaw is a Windows ransomware family created in 2016, initially titled BitcoinBlackmailer and later widely known as Jigsaw because it displays imagery of Billy the Puppet from the Saw film franchise.
Profile source: Mallory opens in a new tabJigsaw
Jigsaw is a Windows ransomware family created in 2016, initially titled BitcoinBlackmailer and later widely known as Jigsaw because it displays imagery of Billy the Puppet from the Saw film franchise. It is a .NET malware family, with analyzed samples obfuscated using Confuser, that encrypts victim files and appends the .fun or .FUN extension. It presents a ransom window themed around Saw, including taunting messages such as “I want to play a game with you,” and uses psychological pressure by threatening escalating file deletion over time. Reported behavior includes deleting a few files in the first 24 hours, a few hundred on the second day, a few thousand on the third day, deleting 1,000 files after a reboot, and ultimately deleting all files after 72 hours if payment is not made. Initial ransom demands reported in the content were $20 in Bitcoin, increasing over time up to $150 after 72 hours. Trend Micro researchers also reported that Jigsaw later added live support to help victims obtain bitcoin for payment.
In analyzed executions, Jigsaw copies itself into %APPDATA% as drpbx.exe and also copies a window-form component as firefox.exe. The ransom interface allows victims to view encrypted files and includes a decryption button that attempts to contact a command-and-control server to query a decryption key. Infections described in the content came from downloads hosted on 1fichier.com and from pornography websites, including a themed variant whose ransom message stated, “YOU ARE A PORN ADDICT. STOP WATCHING SO MUCH PORN. NOW YOU HAVE TO PAY,” and replaced the Billy image with pink flowers.
The content highlights that Jigsaw was poorly implemented: the encryption key was hardcoded in the binary/source code, enabling recovery through reverse engineering without paying. The source also reportedly exposed 100 Bitcoin wallet addresses intended for ransom payments. The malware is therefore notable both for its coercive deletion threats and for weak key management that enabled free decryption. The content also notes that public reporting and government advisory material have observed threat actors possessing or using publicly available encryption tools including Jigsaw.
C2 tracking
Derp observations, rolling seven-day window
Samples
MITRE ATT&CK
Reporting
Compared to the previous ransomware that I analyzed (e.g., CryptoLocker and Jigsaw), WannaCry uses TOR network to enhance anonymity.
This article presents an analysis of Jigsaw and focuses on its design philosophy and underlying mechanisms. Jigsaw is a ransomware created in 2016. It was initially titled “BitcoinBlackmailer”, but later came to be known as “Jigsaw” due to featuring an image of “Billy the Puppet” from the “Saw” film franchise.
Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.
Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.
DOWNLOAD FREE JIGSAW RANSOMWARE DECRYPTION TOOL
The author, iCoreX, claims to have created Jigsaw, Annabelle, and now the RedEye ransomware - whether the former is true or not, I'll leave in the middle.
Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.
“I want to play a game with you” Jigsaw has long been known for mocking its victims. Early versions displayed a message saying, “I want to play a game with you” and then explained that “only a few” files would be deleted in the first 24 hours after infection, a “few hundred” on the second day, and a “few thousand” on the third.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.