Infected with Jigsaw Ransomware? Need to decrypt .LolSec, .fun, .onion, .jes, .choda or others encrypted files?
What is Jigsaw Ransomware
Jigsaw, also known as Koolova, HiddenTear, Nice Jigsaw or CryptoHitman is a ransomware-type virus, which “distributed” since early 2016. At present moment we know about more than 60 versions of Jigsaw Ransomware. Written within the .NET Framework technology, this virus encrypts user data using AES-256 (sometimes RSA-2048) for the key and then demands a ransom for decrypted keys or for the decryption tool. Besides encryption of all documents, databases, photos and other files virus also creates a different file(s) with ransom demands. Ransom notes with different names, for example HOW TO RECOVER ENCRYPTED FILES.TXT, how-to-recover-encrypted-files-decryptsairmail.cc.txt or other have the following contains:
Hello, I’m nice Jigsaw or more commonly known as Jigsaws twin.
Unfortunately all of your personal files (pictures, documents, etc...) have been encrypted by me, an evil computer virus know as 'Ransomeware'.
Now now, not to worry I'm going to let you restore them but only if you agree to stop downloading unsafe applications off the internet.
lf you continue to do so may end up with a virus way worse than me! You might even end up meeting my infamous brother Jigsaw :(
While you're at it, you can also read the small article below by Google’s security team on how to stay safe online.
Oh yeah I almost forgot! In order for me to decrypt your files you must read the two articles below, nonce you have click the "Get My Decryption Key" button.
Then enter in your decryption key and click the "Decrypt My Files" button.
Eventually all of your files will be decrypted :)
If the timer reaches zero then all of your personal files will be deleted because you were too lazy to read two articles.
So User do you want to play a game?
Sometimes, cyber scammers use timers in ransom notes, and after time is up, they start to demand more high price for decryption, threaten to remove encrypted files forever. If you need to remove Jigsaw Ransomware and decrypt .LolSec, .fun, .onion, .jes, .choda or others encrypted files please read our article on current page.
How Jigsaw Ransomware infected your PC
Jigsaw can spread by hacking through an unprotected network configuration, using email spam and malicious attachments, fraudulent downloads, web injections, fake updates, repackaged and infected installers. Encryption adds a different suffix to every coded file. Every version of Jigsaw Ransomware has a specified suffix:
.porno, .payransom, .payms, .paymst, .AFD, .paybtcs, .epic, .xyz, .encrypted, .hush, .paytounlock, .firstname.lastname@example.org, .gefickt, .nemo-hacks.at.sigaint.org, ####CONTACT_US_pablukl0cker638yzhgr@2tor.com####, .FUCKMEDADDY, .##ENCRYPTED_BY_pablukl0cker##, .CryptWalker, .LOCKED_BY_pablukl0cker, .#, .justice, .locked, .fun, .LolSec, .onion, .email-[email@example.com].koreaGame, .jes, .choda, .Bitconnect, .encrypted, .kkk, .btc, .gws, .J, .firstname.lastname@example.org, .gefickt, .hush, .paybtcs, .payb, .pays, .paymds, , .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs.
Way to protect your computer from such threats is to use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.
First of all, don’t panic. Follow these easy steps below.
1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the Jigsaw Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.
SpyHunter 4 – fully removes all instances of Jigsaw Ransomware – files, folders, registry keys.
Thanks to Kaspersky Lab, free decryption tool for Jigsaw Ransomware is available now
Alternative solution: Remove following files and folders of Jigsaw Ransomware:
Remove following registry entries:
Remove following files and folders:
How to decrypt files infected by Jigsaw Ransomware (.LolSec, .fun, .onion, .jes, .choda or others encrypted files)?
Decrypt .LolSec, .fun, .onion, .jes, .choda or others encrypted files manually
Restore the system using System Restore
Although latest versions of ransomware can remove system restore files, this method may help you to partially restore your files. Give it a try and use standard System Restore to revive your data.
- Initiate the search for ‘system restore‘
- Click on the result
- Choose the date before the infection appearance
- Follow the on-screen instructions
Roll the files back to the previous version
Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged. This feature is available in Windows 7 and later versions.
- Right-click the file and choose Properties
- Open the Previous Version tab
- Select the latest version and click Copy
- Click Restore
Restore .LolSec, .fun, .onion, .jes, .choda or others encrypted files using shadow copies
- Download and run Shadow Explorer.
- Select the drive and folder where your files are located and date that you want to restore them from.
- Right-click on folder you want to restore and select Export.
- Choose export location and view restored files.
Protect your computer from ransomware
Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.
Information provided by Tim Kas