This article is more than 1 year old

Saw-inspired horror slowly deletes your PC's files as you scramble to pay the ransom

Malware recruits Billy the Puppet to extort money

Video A new strain of ransomware is adding psychological tactics to its code to try and extort money faster, borrowing from cult horror film franchise Saw.

The Windows malware, dubbed BitcoinBlackmailer.exe or JIGSAW, follows the usual practice of encrypting the victim's files, and adding a .FUN extension for giggles. A popup screen bearing the face of Saw character Billy the Puppet then starts to make demands.

The screen displays a countdown timer and the victim is asked for $20 in Bitcoin to unencrypt the files. But as the hours tick by, the malware will begin to delete files – first only a few, but the number will rise, as will the ransom needed to unencrypt them.

After 72 hours, all of the files on the target computer will be deleted, and the ransom will have risen to $150-worth of Bitcoins.

The user can always turn off the computer, but when it's turned back on again 1,000 files will be deleted as punishment.

Youtube Video

"Using horror movie images and references to cause distress in the victim is a new low," said Andy Settle, head of special investigations at security firm Forcepoint.

"The depths the author has gone to, with real-time scrolling text, countdown timer, increasing ransom amount and the horror associations, plays on the mind of those who may have seen the movie or even those who are vulnerable or of a nervous disposition."

The infection comes from either downloading the malware from a cloud repository named – which has since been shut down – or from pornography websites. In the latter case, the message is altered to "YOU ARE A PORN ADDICT. STOP WATCHING SO MUCH PORN. NOW YOU HAVE TO PAY," and the face of Billy is replaced with pink flowers.

Thankfully, for all their psychological cleverness, the malware writers aren't that good at what they do. The application is written in .NET and has proven to be rather easy to get around, with the decryption key left in the source code.

The code also contains the 100 Bitcoin wallets that would be used to funnel the funds back to the malware writers. These are being shared around the security community. ®

More about

More about

More about


Send us news

Other stories you might like