How to remove Jigsaw ransomware and decrypt .FUN, .KKK, .GWS, .BTC files

What is Jigsaw ransomware?

Jigsaw ransomware is an encryption virus that on the whole resembles such infections as TeslaCrypt, Locky or Cerber ransomware. Alike these notorious viruses, Jigsaw infiltrates systems covertly and finds the files of certain extensions to encrypt them with an ARS code, and in the end it sets a message to inform a victim about payment terms. The threat demands $150 USD which should be transferred in BitCoins. The characteristic that makes Jigsaw ransomware different from other threats of the type is that the ransomware not only encrypts the files but also removes them, if the payments is not made in time, which is 1 hour. At the end of every hour the Jigsaw ransomware will restart increasing the amount of eliminated files. This time limit and a red countdown timer should add psychological pressure to victims and force them to pay. Though the danger is serious and frightening, here we provide some tips on how to remove Jigsaw ransomware.

 Jigsaw ransomware

Symptoms of Jigsaw ransomware infection

It’s difficult not to notice ransomware, since it often has one of the processes responsible for displaying a notification message. This window blocks the screen leaving the user minimum alternatives. Besides, some files will be inaccessible, as in many cases ransomware encrypts them to exasperate the scaring effect.

How Jigsaw ransomware got installed on your computer

The methods with which Jigsaw spreads is not yet specified. Presumably the encryption virus may spread as other ransomware threats did. If it is so, then Jigsaw is distributed through spam message attachments or infected sites, links to which can also be spread through these e-mails. It’s better to be safe than sorry, so when receiving a message from an unknown sender, check its theme and preview for mistakes or misspellings. If you still want to read it, pay attention to attachments – you should scan them with anti-malware or antivirus before. As for browsing, we can only advice avoiding visiting unverified sources and clicking in-browser ads.

What to do if your PC is infected with Jigsaw ransomware

As soon as you notice the presence of the ransomware on your system, you should turn your computer off. If it is possible try to create a backup or image of your hard drive info. This may let you to reserve the state of your drives in case a decryption method would be created afterwards.

How to remove Jigsaw ransomware?

To make sure that the adware won’t reappear, you need to delete Jigsaw ransomware completely. For this you need to remove the files and registry entries of the ransomware. We should warn you that performing some of the steps may require above-average skills, so if you don’t feel experienced enough, you may apply to automatic removal tool.

Download Norton

Steps of Jigsaw ransomware manual removal

Restart Windows in Safe Mode

For Windows 7, 8, XP and Vista:

  1. Restart the system
  2. While computer is rebooting press F8 several times
  3. In the appeared list of options choose Safe Mode

For Windows 10:

  1. In the Start menu click on the power button
  2. Hold Shift and choose Restart
  3. Choose Troubleshoot
  4. In the Advanced Options choose Startup Settings
  5. Click Restart
  6. Select Enter Safe Mode With Networking

Delete files and registry entries added by Jigsaw ransomware

Now you will be able to reach the needed functions and files. For eliminating the ransomware activity, you need to find all of the following items and delete them.

Remove Jigsaw ransomware files and folders:

%UserProfile%\AppData\Roaming\Frfx\
%UserProfile%\AppData\Roaming\Frfx\firefox.exe
%UserProfile%\AppData\Local\Drpbx\
%UserProfile%\AppData\Local\Drpbx\drpbx.exe
%UserProfile%\AppData\Roaming\System32Work\
%UserProfile%\AppData\Roaming\System32Work\Address.txt
%UserProfile%\AppData\Roaming\System32Work\dr
%UserProfile%\AppData\Roaming\System32Work\EncryptedFileList.txt

Remove Jigsaw ransomware registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe %UserProfile%\AppData\Roaming\Frfx\firefox.exe

Restore the files encrypted by Jigsaw ransomware

Use the decrypting tool

The good news for all affected by Jigsaw ransomware is that there is a decryption tool released. First thing you should do to stop the ransomware activity is to stop two processes: firefox.exe and drpbx.exe

  1. Press Ctrl+Alt+Del
  2. Click Task Manager
  3. Right-click the processes and choose End Process

Then remove the firefox.exe process from the startup list, so the ransomware wouldn’t restore itself with every boot.

  1. Press Win+R simultaneously
  2. Type msconfig and hit Enter
  3. Go to the Startup tab
  4. Uncheck the process and click OK

Now you can proceed to files restoration.

  • First thing you need to do is to to download the decryption tool and extract it.
  • Then launch the program by double-clicking the JigSawDecrypter.exe file
  • Now choose the location of the encrypted data and click Decrypt My Files
  • There is an option of decrypting the whole drive, however we recommend to try the application out on a separate folder to make sure that it works properly.
  • After that you may select the C: drive and check the Delete Encrypted Files option.

Restore the system

  1. Initiate the search for ‘system restore’
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Leave a Reply

Your email address will not be published. Required fields are marked *