An old friend has veered its ugly head. First mentioned on TechTalk in 2016, JIGSAW has made a reappearance with a few updated tweaks. This old form of ransomware has been altered to steal Bitcoin by changing the addresses of wallets and sending the payments to the hacker’s account.

JIGSAW was infamous for appearing on computer screens by displaying the face of its namesake from a popular horror film. Originally reported on Fortinet, similar malware rules appeared except that it did not demand payment. The ransomware was doing it on its own.

The source code for JIGSAW was copied and pasted by several hackers and widely distributed. It is unlikely the original creator is the person behind the mutation. Anyone with C# code capabilities can change JIGSAW to what they envision. In this case, they manipulated it, so it became a new type of cryptojacking.

Out of old code, BitcoinStealer is created

This JIGSAW hybrid looked to take advantage of the ever-popular Bitcoin with a huge payoff in mind. Referred to as “BitcoinStealer,” the malware modifies the clipboard content of a Bitcoin wallet, so the currency is redirected to the hacker.

When any cryptocurrency is transferred from one account to the next, it usually needs an address. In this case, it is a string of letters and numbers,. That address is recognized creates communication between where the cryptocurrency is purchased and its next location. The BitcoinStealer replaces the address with a new one that is hauntingly similar to the one that is intended for the user. When the human eye looks at it without reading off each digit one by one, it is easy to miss the change.

Image: Fortinet

Unfortunately, the attackers have successfully stolen about 8.41 BTC which amounts to around $60,000. Most of the transactions occurred at the end of 2017 according to the Fortinet analysis which was when Bitcoin was at its highest.

Stay a step ahead of the hackers

A trick to keep your Bitcoin from going to the wrong place is to copy two addresses at once. The malware is not sophisticated enough to manipulate them.

Some other tips include using two-factor authentication – especially if one includes a source that generates a unique code every ten seconds such as Google Authenticator. Also, always practice good security hygiene by not clicking on any suspicious links. Finally, for businesses, invest in security software such as GFI WebMonitor to keep track of any anomalies that try to enter your network.

For more information on how to protect your network from threats like ransomware, contact one of your local GFI Partners today!

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.