Jigsaw Ransomware Removal Guide

Do you know what Jigsaw Ransomware is?

Jigsaw Ransomware is a Trojan-type infection set to encrypt your personal files and demand that you pay a ransom for the decryption key. We, however, are against paying it and recommend that you remove this infection because you might not receive the decryption key and there is a third-party decryption tool that might help get your files back free of charge. Nevertheless, you have to act fast because this ransomware has a rather motivating feature which deletes a certain number of files ever hour. This is very serious because you will not be able to recover the deleted files. So without further ado, let us get right into it.

Before we go any further, it is important to identify the possible distribution methods of this infection. Unfortunately, our malware researchers have yet to discover how this ransomware is distributed, but it is quite likely that it is distributed using email spam disguised as business-related correspondence, and so on. Your email service provider should filter and redirect email spam to the spam box. So if you happen to get an email with an attachment in your spam box, then do not attempt to open it. The malicious attachment may come in the form of a Microsoft Office file such as .doc, .docx, and .rtf. Furthermore, it might also come as a self-extracting file archive or an executable disguised as a PDF file. These are the most common attachment types used to infiltrate a computer, but there are always exceptions and innovations.Jigsaw Ransomware Removal GuideJigsaw Ransomware screenshot
Scroll down for full removal instructions

Nevertheless, Jigsaw Ransomware is nothing special. It functions like any ransomware out there today, but it has a feature we have not seen in a while. So let us get into the specifics. Our malware researchers have found that this ransomware was configured to encrypt your personal files which include formats, such as .jpg, .jpeg, .pptx, .pptm, .mov, .mp4, .Xls, .Xlsx, .Xlsm, and many others. When encrypting your files, this ransomware should add either a .Fun, .KKK or .BTC extension to each file. Once the encryption process is complete, it will open a window with its Graphical User Interface (GUI) and ransom note. It will demand that you pay $150 USD worth of Bitcoins (0.4 BTC.) Jigsaw Ransomware will use scare tactics to get you to pay the ransom on demand by claiming that it will eradicate some files every hour. The number of files depends on how many you have on your computer. But, that is not all. The ransom note claims that it will delete all files with in72 hours if the ransom is not paid, and if you turn off or reboot your PC, then it will erase 1000 files in one go. This is very scary, stuff so no wonder that Jigsaw Ransomware’s name and theme were inspired by The Jigsaw Killer from the Saw movie series.

This ransomware’s GUI contains the address to which you have to send your Bitcoins. When and if the transaction was successful then the ransomware should give you the decryption key, and you should be able to get your files back, but that is a very big if. You should not trust cyber criminals since all they care about is getting the ransom. Now, as mentioned in the introduction, there is a way to get your files back without having to pay the ransom. We have received information about a third-party decryption tool you can download using this link: https://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip. However, before running this decryption tool, you must terminate firefox.exe and drpbx.exe processes in the Task Manager. Then, you have MSConfig and disable firefox.exe. Only when you have terminated Jigsaw Ransomware and disabled its point of execution you can run the decrypter. However, we warn you that this decrypter is not quarantined to work in all cases.

Nevertheless, it is still worth a shot because there is no way of knowing whether you will receive the decryption key from the cyber criminals after you have paid the ransom. Alternatively, you can skip terminating Jigsaw Ransomware’s processes and remove it from your computer altogether using one of our suggested methods. You can delete its files manually or opt for automatic removal using SpyHunter. Both approaches are effective, but this anti-malware program can protect your PC from future infections.

Terminate this ransomware’s processes

  1. Press Ctrl+Shift+Esc to open Task Manager.
  2. Select Processes.
  3. Locate firefox.exe and drpbx.exe.
  4. Right-click on them and click End Process.
  5. Close Task Manager.

How to remove this ransomware manually

  1. Press Win+E keys.
  2. Enter the following addresses in the address box.
    • %LOCALAPPDATA%
    • %UserProfile%\Local Settings\Application Data
  3. Delete the file named Drpbx drpbx.exe
  4. Then, go to and delete %APPDATA%\System32Work
  5. Close the window and click Win+R.
  6. Enter regedit in the box and click OK.
  7. Once in the Registry Editor, locate HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run firefox.exe
  8. Right-click on Run firefox.exe and click Delete.

In non-techie terms:

Jigsaw Ransomware is a dangerous infection that will encrypt your files after entering your computer. It will demand that you pay a ransom for the decryption key that will restore your files, but there are no guarantees that the cybercriminals will deliver. Also, it will start deleting your files as the hours pass, so we recommend that remove this infection using our instructions or SpyHunter and try decrypting your files using the tool discussed in this article.