Skip to content
Malware family

Jigsaw

Jigsaw is a Windows ransomware family created in 2016, initially titled BitcoinBlackmailer and later widely known as Jigsaw because it displays imagery of Billy the Puppet from the Saw film franchise.

Profile source: Mallory opens in a new tab

Jigsaw

Family profile

Jigsaw is a Windows ransomware family created in 2016, initially titled BitcoinBlackmailer and later widely known as Jigsaw because it displays imagery of Billy the Puppet from the Saw film franchise. It is a .NET malware family, with analyzed samples obfuscated using Confuser, that encrypts victim files and appends the .fun or .FUN extension. It presents a ransom window themed around Saw, including taunting messages such as “I want to play a game with you,” and uses psychological pressure by threatening escalating file deletion over time. Reported behavior includes deleting a few files in the first 24 hours, a few hundred on the second day, a few thousand on the third day, deleting 1,000 files after a reboot, and ultimately deleting all files after 72 hours if payment is not made. Initial ransom demands reported in the content were $20 in Bitcoin, increasing over time up to $150 after 72 hours. Trend Micro researchers also reported that Jigsaw later added live support to help victims obtain bitcoin for payment.

In analyzed executions, Jigsaw copies itself into %APPDATA% as drpbx.exe and also copies a window-form component as firefox.exe. The ransom interface allows victims to view encrypted files and includes a decryption button that attempts to contact a command-and-control server to query a decryption key. Infections described in the content came from downloads hosted on 1fichier.com and from pornography websites, including a themed variant whose ransom message stated, “YOU ARE A PORN ADDICT. STOP WATCHING SO MUCH PORN. NOW YOU HAVE TO PAY,” and replaced the Billy image with pink flowers.

The content highlights that Jigsaw was poorly implemented: the encryption key was hardcoded in the binary/source code, enabling recovery through reverse engineering without paying. The source also reportedly exposed 100 Bitcoin wallet addresses intended for ransom payments. The malware is therefore notable both for its coercive deletion threats and for weak key management that enabled free decryption. The content also notes that public reporting and government advisory material have observed threat actors possessing or using publicly available encryption tools including Jigsaw.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 19, 2026
Last activity
Jul 19, 2026
Feed role
C2
Host form
1 IP / 0 hostnames

Leading locations

  • LU1

Leading providers

  • Ghosty Networks LLC1

Infrastructure traits

  • Hosting 1

Samples

Recent associated samples

MITRE ATT&CK

Jigsaw in ATT&CK

10 distinct techniques

Reporting

Research mentioning Jigsaw

Apr 5
Iss4cf0ng Github

[Studying] Inside WannaCry: Exploit, Worming, and TOR Communication Explained | ISSAC/iss4cf0ng's blog

Compared to the previous ransomware that I analyzed (e.g., CryptoLocker and Jigsaw), WannaCry uses TOR network to enhance anonymity.

Apr 2
Iss4cf0ng Github

[Studying] Analyzing Jigsaw | ISSAC/iss4cf0ng's blog

This article presents an analysis of Jigsaw and focuses on its design philosophy and underlying mechanisms. Jigsaw is a ransomware created in 2016. It was initially titled “BitcoinBlackmailer”, but later came to be known as “Jigsaw” due to featuring an image of “Billy the Puppet” from the “Saw” film franchise.

Feb 9
Cisa Advisories

#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | CISA

Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.

Feb 9
Cisa

#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.

Jun 10
Iicybersecurity Wordpress

FREE DECRYPTION TOOL FOR TARRAK RANSOMWARE. HOW TO RECOVER YOUR INFECTED FILES? " Cyber Security

DOWNLOAD FREE JIGSAW RANSOMWARE DECRYPTION TOOL

Jun 7
Bartblaze

Blaze's Security Blog: RedEye ransomware: there's more than meets the eye

The author, iCoreX, claims to have created Jigsaw, Annabelle, and now the RedEye ransomware - whether the former is true or not, I'll leave in the middle.

Apr 28
Bartblaze

Blaze's Security Blog: Ransomnix ransomware variant encrypts websites

Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.

Jun 28
Arstechnica

Meet Jigsaw, the ransomware that taunts victims and offers live support - Ars Technica

“I want to play a game with you” Jigsaw has long been known for mocking its victims. Early versions displayed a message saying, “I want to play a game with you” and then explained that “only a few” files would be deleted in the first 24 hours after infection, a “few hundred” on the second day, and a “few thousand” on the third.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.