Jigsaw ransomware – want to play a game (deletes your files as you wait)

A brand new breed of ransomware has ramped up the sport in an evil means by threatening to delete user files if they refuse to drop and pay the ransom.

The malware, dubbed Jigsaw, is one in all the newest entries into the ransomware family learned by researchers.

Jigsaw, otherwise called the at one time branded BitcoinBlackmailer. exe, was engineered on March 23rd 2016 and was discharged into the wild solely every week later. Once a victim downloading the malware, the harmful code encrypts user knowledge and creates a fastened screen rather than the private laptop, within the typical manner of ransomware. Users square measure then control to ransom and asked to pay a payment in virtual forex to retrieve their content.

However, in step with Forcepoint researchers, this ransomware not solely encrypts files, however it threatens users with a enumeration by displaying the face of Billy the Puppet from the worry flick Saw, victims are told files are chosen by the hour for deletion if the ransom isn’t paid.

The threatening notice says that in the primary day, solely a couple of files are erased, however following now, many thousand are removed on a daily basis for missing payment. If users try to shut the system or shut down the pc, Jigsaw tells users one thousand files are deleted on startup “as a social control. ”

Jigsaw Countdown

Jigsaw Countdown


Yet , the code isn’t specifically refined. As Jigsaw is written in. NET, the team were ready to reverse engineer the malware’s code and tear out the encoding key used by Jigsaw to secure away user files — moreover as find each one of the a hundred Bitcoin addresses accustomed store ransomware repayments.

In the video below, you’ll be able to observe however the ransomware behaves every system is compromised — and also the creepy message victims given to force those to pay.


The infection rates are tiny and therefore the come looks to be poor. However, the practicality of this new variety of ransomware remains value noting. As law-breaking becomes additional refined and tools are developed, even those with an absence of talent will take advantage and Jigsaw could be a prime example of however ransomware could find yourself evolving on a wider scale within the future.


New ransomware OphionLocker uses elliptic curve cryptography

The new ransomeware first discovered by @Trojan7Sec. Once it encrypts all the data on your system then you would see the following message

OphionLocker Screen Message

OphionLocker Screen Message


It also add a textfile on your desktop with the details of making the payment and collecting the decryption key

OphionLocker Text

OphionLocker Text


The payment website looks like below


Ransom Page

Ransom Page



Fake Ransom

Fake Ransom

This ransomware does not securely delete your files or remove the shadow volume copies so it is still possible to recover your files using a file recovery tool or a program like Shadow Explorer.


More information on this can be found

Keurig 2.0 Genuine K-Cup Spoofing Vulnerability

Do you use Keurig 2.0 or know anyone who does?

Keurig 2.0

Keurig 2.0

Then you might interested in knowing that the Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity of coffee pods (commonly known as K-Cups) uses weak verification methods and which could be subject to a spoofing attack through re-use of a previously verified K-Cup.



The complete hack is demonstrated at a video below:

The complete details of the vulnerability can be found at caffeinesecurity

This information is for educational purposes only. Please do not use it for any illegal purposes.

MS14-058: Vulnerabilities in kernel-mode driver could allow remote code execution in Windows OS

Make sure you patch your system to fix the kernel-mode driver vulnerability. This vulnerability could allow remote code execution in the following Windows Operating systems


  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 7
  • Windows 8
  • Windows 8.1


You will find more details about the vulnerability and its fix here at

How to check if your computer is being monitored (command line – No software)


Figuring out whether your machine is continuously observed can be a test, contingent upon the checking method’s level of refinement. Older machines used to run slowly while being observed, however present day machines have enough power to make observing unclear. Checking for observing fittings and programming is a methodology of end and not secure.


So we will resort to a more foolproof mechanism of determining if someone is connected to your system and you have not authorized that connection.


Open the Run Window by either pressing Windows + R or typing Run in the Start Menu of Windows and type cmd




Now type the command netstat -ano. 




netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics.

-a –> Displays all the network connections along with all the TCP and UDP ports on which your computer is listening

-n –> Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.

-o –> Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.

(Source – Wikipedia)


When you hit enter you would end up seeing something like below.


So the established connections are the ones which you should verify if those are the ones you made or were made automatically or are unauthorized. So to see who is connected you your system, open the task manger and move to the Details tab and look for the PID for that connection. In our case it is 5372 and we see that this is the Process ID fr google chrome.

Task Manager - Process Details

Task Manager – Process Details

But if it is not one of the processes that you expected you could simple right and end it or find more details about it like

  • End Task
  • End Process Tree
  • Opening the file location
  • Searching it online
  • Check its properties
  • Navigate to its services
PID Actions

PID Actions

This way you would able to exactly figure out the process the process or exe that is running on your system and figure out if that’s one of your intended connection or not.

Any questions, comments or feedback are most welcome.

So you think you are secure?


If you answered yes to the above question then think again. Generally we are not as secure as we might think.

Are You Safe?

Are You Safe?

In this blog I will be sharing various concepts, tutorials, tips and techniques so that all of us can understand different types security risks and how we could save ourselves from a lot trouble.

%d bloggers like this: