Jigsaw Ransomware and old malware is back with a phishing campaign that spread LokiBot. The LokiBot install Jigsaw Ransomware as its payload using an old Microsoft Office CVE-2017-11882 remote code execution vulnerability in Equation Editor. After executing it append
.zemblax extension to its encrypted files. To remain low and under the radar it ask $50 of ransom in Bitcoins for a decryption key. A ransom note with Salvadore Dali mask from the popular Money Heist show as its background is shown.
Jigsaw Ransomware Signatures
Family: Trojan:Win32/Occamy.C
MD5: 2fec9bf50de5395f799b23a1099b10d6
SHA256: df049efbfa7ac0b76c8daff5d792c550c7a7a24f6e9e887d01a01013c9caa763
Jigsaw Ransomware Download