Jigsaw Ransomware V2 2019


Team Member
Original poster
Verified Profile
Jul 21, 2020
This Ransomware was outdated and useless so we took the source code and rewrote it.

Now version 2 source code is available for sale as well as pre-configured already compiled version with many improvements:


--Windows frame and icon in windows taskbar are now invisible, however you can still drag around the ransomware main window with the mouse to clear the browser visibility to make the payment,

--Instructions have now background transparency so the image of the jigsaw is never opaqued.

--A copy to clipboard Bitcoin Address button has been added for convenience.

--Links to both Bitcoin technology explanation and payment website address were added.

--Cool Wallpaper changer.

--Market BTC value is shown in real time in main interface.

--A Skinned version of the project is also available so you can easily change the look and feel if you wish to do so.

Payment system.

--The payment engine has been rewritten to make use of Block.Io API interface (remember Blockr.Io is dead). The engine is able to correctly locate and calculate the coinbase bitcoin price in USD and the present balance of your account to determine if payment was successful. You don't need to risk by giving any email address.

Security is enhanced.

--The ransomware now disables the task manager (it is restored after payment) to prevent being killed from memory.

--The ransomware also sets itself as an un-killable process. In case the user manages to kill it, the whole windows will crash with a BSOD.

--A doomsday counter is configurable. If the user kills the ransomware too many times, then its clear he won't pay so better erase the whole hard drive and kill boot sector.

--Available public jigsaw ransomware decrypters can not decrypt the files.

--Virus is totally FUD in the hard drive after processed by our method.

--The virus does not relies on costura.fody to deploy its dll files because it is unreliable. Now the virus includes and deploys its own required dll files.

--USB Stick Spreading.

--Network drive spreading.

--Spreading through email attachment.

--Autorun enabler for removable devices.

--EternalBlue Exploit scanner. Results are sent by email to the attacker.

--Windows defender is disabled. Can't be turned back on easily and it will stay off after restart. Also AVG and MalwareBytes.

--Bot Killer added.

--Hidden visit website feature. It will regularly visit any website of your choice using the victims connection. Can be used to increase visits counter as an example (won't work for monetizing links).

--Windows explorer options modified so hidden files can not be seen (might not always work depending on OS version or may require restart).

--Anti sniffers code.

--Windows Update Disabler.

--System Restore Killer (might not work in all windows OS).

--Disable UAC (no admin for victim).

--Disable Regedit.

--Disable CMD.

--Windows Serial Number retrieval. Send back to attacker by email.

--Second method for extensive password dump&retrieval (including browsers, ftp clients, email clients and other goodies).

--New USB spreading technique not relying on autorun being turned on.

--DoublePulsar Exploit implementation. It can upload a DLL file to vulnerable computer. Three DLL examples are provided: To add a admin user, to download and execute any file from a selected website, to reboot system.

--Use the app as ransomware or as worm. Option to not encrypt any file and not request any ransom, only spread through different mechanisms and install rat or any other file of choice.

--Change permissions of all files belonging to all the users in a server so they can now be encrypted.

--Businesses and Enterprises databases encryption.

--Anti virustotal and virusscan.

--Victim's wifi information is retrieved and sent back to attacker. It includes all sorts of useful info like router's configuration info and wifi password.

--Public IP address of victim is retrieved and informed back to attacker. Together with the wifi info it can be used to access victim's router remotely (if router is set to allow remote control) .

--Decryptor improvement (error checking, friendliness, interface polish, etc).

--Admin configurable user account is created in victim's computer, thereby if attacker has access to that network then he can login as Admin (logged victim has to be admin in the first place).

--Multiple wallets (besides unique addresses). If no new addresses can be created (it depends in type of account in BlockIo - free accounts defaults to 100 addresses per wallet) then a random one is used among the wallets and addresses created in previous runs. If all of the previous fails then a hardcoded one is used. Hardcoded addresses are not stored in the hard drive, they are kept inside the malware itself to avoid tampering.

--Timer to resend passwords information to attacker in case net is down and email doesn't reach him the first time.

--Clean-Up after ransom is paid.

--BlueKeep vuln scanner. Results are sent back to attacker by email.

--Custom smtp server can be easily set.

--You can add wallets of other coins different than btc.

--Wallets are handled intelligently. Once one wallet runs out of new addresses, the next one is used.

--Mass mailer. It works with a list of free smtp servers and a list of email addresses combined used to send an infected email copy of itself.

--Random Domain Generation. RDG is a great technique to avoid your malware communication channel being taken down. It will generate hundreds of domains a day with which it will simulate to contact. Immerse in this big lot of communications traffic your real channel of communication will be disguised. Only one or two of these random domains is really registered and used by the malware, the rest are decoys. This technique is implemented only for the skinned version of the malware. Can be turned on or off and you can select how many visits/day to random domains it will perform.

--Lateral Movement spreading and target credentials information. This a pretty neat feature which if successful will spread the malware to all the computers in the same network, wireless or not. For instance, if one of the target computers is connected to a router, then the malware will spread to all other computers connected to this router (provided they are vulnerable to this exploit). Also, an email will be delivered to the attacker with a detailed report of all the network information gathered during the attack and success infections. For this to work, the malware must be run by an admin account and the malware itself has to run as admin (so you will need to enable the get admin exploit provided in the source code). It also requieres Win7 or inferior. In Win10 the vuln has been patched.

--More browsers passwords retrieval information.

--Credit Card information retrieval.

--Cookies retrieval.

--Browsers Autofill data retrieval.

--HTML email spreading is now supported. If your word macro is FUD then gmail will not complain. If it is not FUD then you need to use a passworded rar archive and included the password in the email information.

--Encryption of files up to 1000 MB in size.

--New Intra network spreading technique (recreated, improved and ported from SamSam's Ransomware).

--Encryption password option to make it static or dynamic. In dynamic mode, the custom decryptor is no longer effective and each new computer will have a different encryption password.

--Dynamic ransom amount. If set to yes, the ransom will increase progressively each certain pre-configured number of hours and in certain pre-configured percentage. There is also a variable to set the maximum posible increase to prevent for excessively high ransom amounts.

--Added variable time interval cycle. This variable allows you to set a variable time cycle after which files are erased.

--Possibility to configure in config,cs if a large number of files is erased or not if malware is restarted as punishment and how many files will be erased. Erasing will only occur after malware has melted and is relocated to its final hidden directory.

--Crypto wallets stealer. Wallets supported: BTC, BTCCore, XMR, Electrum, DSH, ZEC, LTC, ETH. All wallets send back to attacker as email attachments preserving directory structure of each wallet as filename so it can be recreated.

--Impossibility to erase malware directory or associated files. For this to work the malware has to be run elevated (so run elevated variable in config.cs has to be set to true), if not, it will ask for elevation; to prevent for such a situation, it will only try to protect the directories if it is running elevated in the first place.

--Forensics Evidence Cleaner. Something I always want to add but too much coding. Finally its done. This feature can be configured and customized in config,cs. In case the victim is not willing to pay it will look up for all hard drives erasing any trace of its presence, killing every hard drive and finally removing itself.

--Dynamic control email accounts. In case account is banned malware can chose from several others.

--Tor Network Encryption communications redirection to asure anonymity and privacy of malware communications.

--Onion services can be used to store malware support files ensuring malware can not be crippled by means of killing control website.

--Targeted attacks ready.

You'll be able to see the hidden content once you reply to this topic or upgrade your account.


This source code project is sold solely and exclusively for academic purposes. No other use is aceptable.


1. Be sure to have latest visual studio 2019 installed with C# pack.

2. Install skinning system and send us the name and company or hacking group you wish to add

to your license. We will provide a license for you super fast.

3. Load the source code. Don't be impatient. Visual Studio needs several minutes to load

the nuget packages the project uses.

4. After some minutes reload the source code and all errors should go away.

5. If any error persist then please send us an image capture of the error. This source code

has been tested thoroughly so if any error persists it is surely no big deal to solve it.

6. Finally, please do not buy source code if you don't have a clue on what source code is and how

to use it, because it will be a headache for both of us. In such case we will be very glad to sell

you a pre-compiled version of this software for a reduced price. We will then send you only

a pre-configured executable.


1. Create a website in any web hosting site. Register a random domain name from 5-40 random letters characters and with .com, .org, .net domain

if you want to use random domains generation protection.
2. Add an index.html so nobody can see your files in the root directoy.
3. Copy there: hacked.jpg, readme.txt and payload.zip.
hacked.jpg is the wallpaper to use when the malware infects a computer.
readme.txt is a list of leaked gmail addresses used for mass mail spreading.
payload.zip contains all support files needed for eternalblue, bluekeep and lateral
movement vulnerabilities.
4. You should also copy in the root of your webhost site a copy of your malware with the
name of svchst.ex (you can change this name and location in your word macro).
This file is the one to be downloaded by the word macro sent during email spreading.
If you do any improvement to your source code then you can replace this file with a new one,
thereby all new infections will receive an updated version of the malware.
5. Open one or more wallets in Block.Io and take note of your BTC address and api key.
6. The address of your website and the names of all files, api key and hardcoded
BTC address can all be set in config.cs in your visual studio project.
7. In regard to the api key you can create as many as you wish and put them in you config.cs.
8. The list of hardcoded addresses belong to the first api key in the list. This is just in case internet
fails or your Block.Io account has ran out of the possibility of creating a new address.
9. From second to any number of api keys you add, btc addresses are created automatically and chosen wisely.
10. In your downloaded directory (the one you get when you buy) there is one text called word macro. This one contains the macro
you need to add to your word document. In resources directory you can find one already made (registration.rar), you need to open it and
edit the macro in there to point to your website and of course recompile the project so the file
is embedded once more with the executable. The file is named registration.rar and the password is 1504. Just open it, edit the
macro inside the word document and pack it again.
11.You will need to install the visualstyler skinning system provided and use the .reg file provided
to register it (this is a paid license).
12. Random Domain Generation is by default set to off. If you want to activate it just go to config.cs and change the parameter
from false to true. If you do this, the you should register one random domain as the ones created (8-15 random chars and with domain
like .com, .org, .net etc to fool anyone trying to figure out your real domain).
13. Email spreading is by default on, so be careful, if you run the malware with internet active it will read your email addresses and resend
itself to all of your contacts as an html email with the word macro attachment.
14. You can test most of the basic functionality by setting debug mode in visual studio. In this mode the malware only encrypts a funny directory
created by itself and payment can be simulated using key sequence ctrl-shift-r.
15. There is no emergency decryption using ctrl-shift-r in release mode. However a custom decryptor is provided (source code too) in case of
accidentally you end up encrypting your own drives.
16. All drives are in risk of spreading, specially removable ones like usb sticks, memory cards and usb drives. But also intra-network drives
if they are vulnerable to lateral movement technique.
17. EternalBlue and Bluekeep run automatically to achieve spreading.

Don't forget, almost every parameter and behavior aspect of the malware functioning can be configured from config.cs. This is a complex malware which has

a lot of customization parameters, these are only the basic ones.

That is all.

Small video showing how to make the ransomware fud: