Jigsaw ransomware is back and revamped to steal Bitcoin from unsuspecting users

• Jigsaw earned its infamous name for displaying the face of the antagonist from the horror film Saw.
• The attackers have managed to successfully steal about 8.41 BTC which currently amounts to around $62,000.

An old strain of ransomware, Jigsaw, had made a comeback and is revamped to steal Bitcoin from unsuspecting users. According to researchers at Fortinet, Jigsaw was first spotted in April 2016 as a fairly straightforward strain of ransomware that encrypted files and demanded a ransom of Bitcoin be paid in exchange for a decryption key.

Jigsaw earned its infamous name for displaying the face of the antagonist from the horror film Saw.

References in the newly discovered code refer to the malware as "BitcoinStealer".

Old ransomware, new tricks

The most recent version of the ransomware has been repurposed to steal Bitcoin using a "simple-but-effective trick." The malware modifies the clipboard content of Bitcoin wallets and replaces it with another address belonging to the attack, thereby redirecting the payment into the hands of the attackers instead.

"One would think that when copying a person would clearly see the replacement of the addresses," researchers said in a blog post. "However, this malware has an interesting feature - it cleverly replaces the legit address with a forged-one having similar (or the same) symbols at the beginning and the end of the string.

"This malware also contains 10,000 different addresses in the resource section named 'vanityAddress'. Once the regular expression matches the data in the clipboard, the code begins to select the most similar Bitcoin address from its list of ten thousand addresses."

The forged address has similar symbols in the beginning and end of the string to the original wallet address in order to dupe the victim into thinking the address is their own Bitcoin address.

"A person usually takes a glance at the recipient bitcoin address and then copies it," researchers said. "The malware retrieves a similar address and modifies the clipboard content with it. A victim would hardly notice the change."

However, if the victim copies two or more addresses at once, the malware cannot tweak them.

"Based on the name of the resource containing the list of rogue addresses (vanityAddress), we can assume that the attacker generated all the 10,000 of these addresses with the help of the utility called 'Mass Address Generator'," researchers said.

This tool was spotted in an underground forum ad. The forum also advertised code for other similar nefarious projects like building and modifying cryptocurrency stealers.

Who is behind the Bitcoin Stealer?

So far, the attackers have managed to successfully steal about 8.41 BTC which currently amounts to around $62,000. Most of the transactions were made from roughly the second half of 2017 to the time of Fortinet's analysis.

Since Jigsaw's source code has been available online for a while now, it is still unclear if the new BTC Stealer campaign is the work of the original ransomware author or a copycat.

"Because of the wide distribution of the source codes, anyone who can compile C# code can start his own malicious campaign. In addition, actors can easily modify the source and distribute it in the same way. This situation is very similar to the Mirai malware source leak," researchers said. "However, we can expect more attacks on the bitcoin wallets of users by leveraging the same source code again—at least as long as Bitcoin has value."