How To

How to decrypt your data from Hakbit & Jigsaw ransomware for free

The cyber security firm Emisoft has released decrypter for Hakbit and Jigsaw ransomware that would unlock your files for free.

One day you turn on your PC but instead of being greeted with the standard account login window, you are encountered with an unpleasant message stating: “Your files have been encrypted, follow the instructions below to decrypt them.”

Usually, these instructions include the attacker asking for a certain amount of money in exchange for the victim getting their data back. This is in essence where the word “ransomware” originates from – your data is at risk unless you pay a ransom.

Although the file types that are affected vary from attack to attack, most of them do include the common ones found such as jpeg, png, and pdf resulting in most of your data being compromised.

Two such ransomware that have recently taken on the lead among these attacks are Hakbit and Jigsaw.

Hakbit ransomware

To start with the former, it first tries to hide its presence by renaming itself as a legitimate-looking file extension from one of the following:

  1. lsass.exe,
  2. svchst.exe,
  3. crcss.exe,
  4. chrome32.exe,
  5. firefox.exe,
  6. calc.exe,
  7. mysqld.exe,
  8. dllhst.exe,
  9. opera32.exe,
  10. memop.exe,
  11. spoolcv.exe,
  12. ctfmom.exe,
  13. SkypeApp.exe.

Then it uses AES-256 encryption and adds a “.crypted” file extension to infected files. Furthermore, it presents a couple of innovative features not seen in any ransomware before. The first one is that unlike in most ransomware, it does not present the victim with a text file containing instructions but instead changes wallpaper display to ransomware note.

Secondly, normally we see attackers adding their cryptocurrency wallet addresses in a text file along with the instructions but Hakbit is focused on providing a great victim-experience. To achieve this, they actually provide a QR code for their Bitcoin wallet address leaving no room for mistake in their quest for a solid $300.

Jigsaw ransomware

Moving on to Jigsaw which was initially known as “BitcoinBlackmailer,” it is more or less interested in playing a good game of time while cashing in money. Once your files are encrypted, a countdown timer starts with a few files being deleted every hour. This is their way of telling you to pay up fast. If you don’t pay on the first day, hundreds of your files will be deleted on the second day.

Image: Emisoft

The third day will see thousands of them vanish – a cruel experience for someone who does not have a backup. However, this is not all. Suppose you try to play smart and either try to tamper the ransomware or restart your computer, 1000 of your files will be deleted as of punishment.

Luckily you’re not stuck in this anymore. Emisoft has released decryptor software for both of these ransomware. According to them, the decryptor can be run when one is online without any “special requirements” allowing non-technical users to also make use of it.

Image: Emisoft

Moreover, they have provided a comprehensive guide detailing how to run both of them with the following being the steps required to run the Jigsaw one:

1. Open Task Manager

2. In the Processes tab, select firefox.exe and drpbx.exe and click “End Task”

3. When that’s done, open MSConfig

4. In the Startup tab, deselect the startup item firefox.exe that points to %UserProfile%AppDataRoamingFrfxfirefox.exe and click OK

Once you’ve completed these steps, you can proceed to run the decryptor.

Image: Emisoft

Although the aforementioned steps provide a brief overview of how the decrypter will work, the company also provided detailed guides on the download pages of both Hakbit and Jigsaw.

In conclusion, this eases up the issue for those who may see themselves stuck with no cash to spare. Other ransomware also have decryptors available online and hence it is recommended that one tries to search for it before proceeding with any payment to the attackers.

Nonetheless, our suggestions remain simple and effective to avoid such incidents in the first place. Always download files from authentic sources and to take security a step further, verify the file by double-checking its hash which is given by many websites. You can also check for its hash and scan the file on sites like VirusTotal.

On the other hand, for day to day social exchanges via email and social media, avoid opening any files from unknown sources no matter how pressing the issue may look. With such precautions, attacks can be thwarted in the majority of cases keeping you safe.

To Top

Pin It on Pinterest

Share This