Severity scale:  

Jigsaw ransomware virus. How to remove? (Uninstall guide)

removal by Linas Kiguolis - -   Also known as .Fun ransomware | Type: Ransomware

Jigsaw virus continues corrupting files with a new extension

the second version of Jigsaw

Jigsaw ransomware was discovered in April 2016 using AES cryptography to lock files on the targeted systems. The file-encrypting virus has been updated several times and uses different file extensions to make data inaccessible. The recent variant of malware was detected in January 2018 using .CryptWalker suffix.

Apart from creating new versions that are aimed at the English-speaking computer users, ransomware virus is also using German, French[1] and Vietnamese languages. Up until now, the following extensions have been attributed to this malware group:

.fun, .pabluk300CrYpT!, .pablukCRYPT, .kill, .korea, .kkk, .gws, .btc, .hush, .paytounlock,,, .gefickt, .ghost, .pay, .payms, .paymst, .porno, .xyz, .versiegelt, .encrypted, .epic, .Locked, .locked, .Contact_TarineOZA@Gmail.com_, .tdelf, .lost, .R3K7M9, .rat, .jigsaw, .pabluklocker, .beep; .CryptWalker.

No matter how actively this ransomware has been switching from one extension to other, malware researchers have already managed to crack the code and created a decryption software (you can find it at the end of this article). Therefore, you should not consider paying the ransom and just remove Jigsaw from the computer.

However, Jigsaw removal might not seem like a safe option. Criminals threaten to delete the encoded data if the ransom is not paid. Unfortunately, it’s true. Once the virus encrypts the files, it sets a timer for the victim to pay the required sum of money. If the transaction is not carried out within the given hour, one file is deleted from the computer[2].

Any attempt to initiate Jigsaw removal is said to lead the victim to the loss of around a thousand files[3]. The pressure of not being able to turn the computer off and the countdown timer ticking on the screen push the users into paying the special amount of BitCoins[4]. Even though this virus may seem frightening, you should still start with the removal because it’s still possible. For that, you can use Reimage.

The characteristics and operation of the Jigsaw ransomware virus

Typically, the virus spreads and enters the system with the help of malicious spam emails. Once inside, it hides from the victim. Some minor system slowdowns and errors might give the virus away, but it is really difficult to catch this virus in action.

The virus silently encrypts data using AES cipher and appends one of the specific extensions. Furthermore, it leaves a ransom note with a famous character from the movie “Saw” in the background. The note explains the current situation and asks to pay the $150 USD ransom:

Your computer files have been encrypted. Your photos, videos, documents, etc…
But, don’t worry! I have not deleted them, yet.
You have 24 hours to pay 150 USD in Bitcoins to get the decryption key.
Every hour files will be deleted. Increasing in amount every time.
After 72 hours all that are left will be deleted.

If you do not have bitcoins Google the website localbitcoins.
Purchase 150 American Dollars worth of Bitcoins or .4 BTC. The system will accept either one.
Send to the Bitcoins address specified.
Within two minutes of receiving your payments your computer will receive the decryption key and return to normal.
Try anything funny and the computer has several safety measures to delete your files.
As soon as the payment is received the crypt files will be returned to normal.

Thank you.

The ransom note might slightly differ based on the version of Jigsaw. However, the instruction remains the same – victims are asked to pay the ransom; otherwise, their files will be deleted. However, you should not be threatened by criminals and focus on malware removal.

Versions of Jigsaw virus

Payransom ransomware virus. This malware variant uses AES encryption to render victim's data useless, and it demands 150 dollars in exchange for a decryption software. Just like the initial version of Jigsaw, it promises to delete a part of victims files each hour until the ransom is paid.

The threatening ransom message of Payransom virus informs that the ransom price will be doubled after 24 hours of non-payment and tripled after 48. If you do not want to lose your files, it is better to remove Payransom immediately as this way your data will be encrypted, but not deleted. This way, you might be able to recover them after some time. Unfortunately, it seems that Payransom decryption tool has not been discovered yet.

Payms ransomware virus. It appears that this ransomware variant has been built based on Jigsaw's code. Therefore, these viruses act similarly. This virus asks for the same amount of money like Payransom virus does – 150 USD. If the victim does not pay up the ransom within 24 hours, the price of the decryption software increases to 225 USD.

This malware adds .pay, .payms or .paymst file extensions while encrypting the data. Luckily, you do not have to pay the ransom to retrieve your data – you can recover it with a help of this decryption tool. Before you use it, you must delete the virus from the computer.

CryptoHitman ransomware virus. Yet another version of Jigsaw, which appears to be a disgusting virus that can cause you problems at work or home. This nasty virus stands out of other ransomware variants because it changes desktop wallpaper with a pornographic picture and appends .porno file extension to encrypted data.

Fortunately, you do not have to pay the ransom that CryptoHitman demands, as a free decryption tool for this virus has been already released. You can download it here. If you have become a victim of this computer threat, remove it using a powerful anti-malware software and start decrypting your files with a help of the aforementioned decryption tool.

We Are Anonymous ransomware virus. “We are Anonymous. We Are Legion. We do not forget. We do not forgive. Expect us.” This is how the virus greets the victim after it finishes encrypting all files on a compromised computer. The latest variant of an infamous ransomware locks victim's data using advanced encryption technology and appends .xyz file extension to each file.

The user is asked to transfer 250 USD to a provided Bitcoin address in order to receive a decryption tool. Luckily, data can be decrypted charge-free with a help of this We Are Anonymous Jigsaw ransomware decryption tool. As always, do not forget to delete the ransomware before you run the decrypter.

German Jigsaw virus. This ransomware surfaced at the end of October. Once inside the system, it encrypts victim's files and adds .versiegelt extension to each of them. In exchange for the decryption service, it asks its victim to pay 100 euro in Bitcoins.

It is not a big amount of money when comparing with other ransomware threats. It is also worth mentioning that the language of its warning message is written in German, so there is a high possibility that it spreads only in German-speaking countries. Make sure you remove versiegelt virus before it damages your files.

French Jigsaw virus version was discovered in the middle of November 2016. This ransomware encrypts victim's files and adds .encrypted file extension to each of them. In addition, it shows a ransom note that says: “Vos fichiers ont été cryptés et vous ne pourrez les récupérer que si vous vous acquittez de la somme demandée.” […] 

If you can see this warning message on your desktop, stay calm and don't even think about paying the ransom. You can use one of the methods in our “Data recovery” section to decrypt your encrypted files. However, before you do so, you need to remove Jigsaw ransomware (French version) from your computer.

Epic ransomware virus is the newest version of the ransomware which, once again, operates under the name of the Anonymous hacktivist group. The lock screen and ransom note of this virus can be seen below. The virus follows the typical pattern of the Jigsaw ransomware: it gives the victim an hour to pay for the files. After this time runs out 1-5 files are deleted from the computer. If the victim tries to fight the virus and turns off the computer.

The next time it is booted, the virus may delete not 5 but 1,000 files. What is more, the hackers demand an outrageous 5000 dollars for the data recovery, but just like with the rest of the Jigsaw versions, the outcome of such collaboration is completely unpredictable. Thus, it is better to get rid of the virus instead of playing according to the hackers' rules. 

Crypt.Locker ransomware virus. It is another name for Epic ransomware version. As the image below shows, the virus addresses the victim with such lines: “Very bad news! I am so-called with the following advanced functions.” The virus appends .epic extensions to encrypted records and asks to pay a ransom of $5000 in Bitcoin currency. Such sum is enormously huge, and you shouldn't give it away for some cyber criminals.

We suggest you remove Crypt.Locker virus and restore at least part of your data from backups. Please ignore virus' threats about leaking your data to your contacts – the virus is trying to convince you to pay up, but the first thing you should do is to complete Crypt.Locker removal.

If you're thinking about paying the ransom, you should know that there are lots of cases when victims paid the ransom but never obtained the decryption software. The same can happen with decryptor that criminals suggest buying.

Ransomware developers have just released HACKED ransomware virus — the latest version of the virus. Currently, the parasite's distribution is quite low, nevertheless, the virus does not seem to be any less dangerous than the previous versions.

Though it does not require the victims to pay appalling amounts of money, it now gives less time, only 24 hours to issue the payment of 0.25 or 0.35 Bitcoins. Besides, the new version of the virus now adds .Locked and .locked extensions to the affected files which stokes speculations about a potential new project between Jigsaw and Locky virus developers.

Jigsaw 4.6 ransomware virus. It seems that authors released yet another foolish copy of ransomware, this time dubbed Jigsaw 4.6 ransomware virus. Although we assume that spotted samples of this ransomware show that the virus is in-development process at the moment, it might be that it is just another poorly programmed virus.

It turns out that this ransomware does not encrypt victim's files at all, although in the program/ransom note that it launches in full-screen mode says that files were encrypted.

This ransomware version uses a different picture of John Krammer for the lock screen. However, malware analysts have spotted a couple of new Jigsaw versions that appends file extensions to encrypted files, and we assume that might be the updated version of the 4.6 ransomware.

The fact that this new version appends file extensions indicates that the virus attempts to modify files stored on the system, so we assume that the ransomware can encrypt victim's data, too.

Monument ransomware virus (also known as DarkLocker ransomware virus). Just like previous versions of the Jigsaw, the latest extortionist encrypts files and demands to pay the ransom. The virus also delivers a lock screen where it informs victims that their files have been encrypted because they have watched porn. The developers of the virus ask to transfer 0.15 Bitcoins within 24 hours time. Later the size of ransom will reach 0.20 Bitcoins.

However, authors of the malware suggest paying the ransom immediately if victims do not want to lose their files entirely. According to the ransom message, the virus deletes 1-5 files each hour. What is more, after 48 hours the encrypted data will be eliminated if hackers do not receive the payment. However, following their orders are not recommended. It’s better to remove Monument virus and try additional data recovery methods.

Jokers House is the newest member of the Jigsaw ransomware family. This virus has emerged near the end of April 2017 and has been rapidly growing since. The virus does not fall behind from its predecessor and employs a similar method of ransom extortion: the victims are given an hour to pay a 100 dollars to reclaim access to their encrypted files. Failing to make the payment results in the destruction of one file.

The cycle continues until the victim transfers the money. Besides, the hackers prevent users from closing the ransom screen too and threaten to destroy 1000 files if the victim chooses to do so. Typically to most modern ransomware, Jokers House indicates the email via which the victims ought to contact them in the extensions added to the infected files. In this case, the email is

Typically to most modern ransomware, Jokers House indicates the email via which the victims ought to contact them in the extensions added to the infected files. In this case, the email is, so the extensions are .Contact_TarineOZA@Gmail.com_.

We should warn you not to pay the ransom. It is simply not worth supporting the cyber criminals by giving them your money.  If you have backups – restore your files from them, if not, try alternative recovery options which you will find at the end of the virus description. StrutterGear variant attacks users the same way as its predecessors. Since the version is quite new, it is unknown what specific encryption technique it employs. 

Since the title originates from an MTV show “The Strutter,” the developers address their victims in an insolent manner as well. After the encryption is done, the graphic interface app instructs victims to pay 500 dollars in bitcoins and transfer them to an indicated address. It does not append any file extensions. The malware has also a tendency to delete one file after the specific period of time.

TheDarkEncryptor ransomware greets users with “All your files have been encrypted by THE DARK ENCRYPTOR using a military grade encryption algorithm” ransom note. In comparison with other versions, the malware demands only 100 dollars in exchange for users files.

If you do not remit the payment within 5 days, the sum of ransom is said to increase up to $350. The virus tends to append .tdelf file extension to encoded files. Furthermore, it does not possess any intriguing features. Users should be aware of its diverse distribution methods.

Ramsey malware version of Jigsaw draws inspiration from the Ancient Egypt. Moreover, it prefers targeting Turkish netizens as the ransom note is written in the respective language. Besides its features to delete one file after some time, the felons also provide a specific email address –

.lost file extension virus serves as another version of Jigsaw. It also tends to encrypt files with the combination of RSA and AES encryption techniques. Its traffic is still low so only a few users may run into this variant. Beware of spam emails with shady attachments.

Note that such emails may alarm you with fake charges presented by the supposed FBI or the email asking you to review intriguing information. Such version is most likely to distribute via corrupted domains.

.R3K7M9 file extension Jigsaw variant is likely to be distributed in gaming and adult-content websites. Interestingly, that the extension refers to “leet” alternative alphabet popularized among hackers in the 1980s. The ransomware activates via the f*ck.exe file so it may be wrapped under the disguise of a corrupted app. Once it sneaks into the device, it may require some time to encrypt files with .R3K7M9 file extension. It demands approximately 300 dollars for ransom.

.rat file extension virus. This threat entangles the system and users' files once Imminent Monitor remote desktop tool (RAT) file. Due to the disguise of the file, victims are unaware that they have activated Jigsaw threat.

This new version also connects to a specific IP address. According to its technical specifications, the infection is detectable as Gen:Variant.Barys.2440 or Trojan.Barys.D988. It resembles another threat – CryptoDark virus. Fortunately, multiple cyber security tools can identify the infection and block it on time.

.kill file extension virus. On July 2017, researchers detected a new variant of the infamous ransomware family that appends .kill file extension. Malware continues the work of predecessors. It encrypts various files, such as MS Office, image, audio, video, archives, etc. Once it’s done, it demands to pay the ransom.

Malware is most likely to enter the system with the help of the malicious email attachments. Thus, it’s recommended to stay away from suspicious spam emails and avoid opening files or links included in the email sent from the unknown sender. After infiltration, it’s recommended to remove .kill file virus and try free data recovery options.

.korea file extension virus. On July 14, Jigsaw Korea ransomware variant surfaced. This ransomware replaces victim's desktop picture with a blank black screen with a white smiley on it. During the attack, this virus encrypts victim's files and appends .korea file extensions to them.

Luckily, victims of .korea file extension virus do not need to worry about lost files because a decrypter capable of restoring them for free is already available. Therefore, if you accidentally became a ransomware victim, remove Korea ransomware and decrypt your files using Jigsaw Decrypter.

.pabluklocker file extension virus. On August 2017, a Polish version of Jigsaw has emerged. On the affected device it is executed from CMD.exe file. Then it makes several changes to the system and starts data encryption procedure. To the targeted files it appends .pabluklocker extension and makes them useless.

However, this variant seems to have bugs and does not work properly. Therefore, you should not be threatened by the scary wallpaper and rush to pay the ransom. Focus on .pabluklocker removal and try free decryptor for data recovery.

Jigsaw screenlocker virus. This version runs from the ransowmaro.exe file that usually arrives on the system as an obfuscated email attachment. On the affected device it starts scanning the system and encrypting targeted documents, multimedia files, and other data. Once all the files are locked with the .jigsaw file extension, it triggers a screenlocker window.

However, following hackers instructions is not necessary. You have to get rid of locked screen, remove the virus and use Jigsaw decryptor to restore corrupted files.

.pablukCRYPT file extension virus. It is an updated variant of the PablukLocker ransomware which uses a new extension to mark encrypted files – .pablukCrypt. The virus displays a message that specifies the version of the virus. This time, cyber criminals identify it as “PablukL0cker 4.0 ransomware”.

The threatening message states that the virus deletes a few files the first day of infection, a few hundred on the next day and a few thousand on the third day. Luckily, you do not have to worry if your files were encrypted by this ransomware – the JigSaw decrypter has been updated and is capable of restoring your files for free, so all that you need to do is to remove PablukCRYPT virus from the system.

.pabluk300CrYpT! file extension virusThe virus emerged the next day after Pabluk Crypt's appearance. The malware uses the same threatening strategy and promises to delete more and more of victim's files each day. The only difference between these viruses is that this new variant appends .pabluk300CrYpT! extension to encrypted files.

Files corrupted by this ransomware are decryptable, so remove .pabluk300CrYpT! ransomware today and start restoring your files right away. Do not forget to take preventative measures to keep your computer protected from similar ransomware attacks.

Fun ransomware virus. Jigsaw malware developers made a return in October 2017 with an updated version of .fun file extension virus. It currently spreads in the form of a fake Steam Cracker (St3amCrack3r.pdb) program which downloads the new ransomware variant to the system and executes it. 

The malicious software attempts to encrypt files but fails due to the use of a faulty encryption key. However, the malware still displays a random-demanding screen which asks to pay $500 for data decryption. It is also worth mentioning that the new version uses a different image for the background of the ransom-demanding screen. This time, it does not represent the character from Jigsaw movie, but the well-known Anonymous mask.

However, this is not the first case of Jigsaw using .fun extension on encrypted files. A similar version which used to ask 150 USD as a ransom emerged in April 2016. A year later, in April 2017, another version asking for $25 appeared. Fun ransomware (all versions of it) are typical Jigsaw variants that promise to eventually delete a large number of victim's files if the victim fails to pay the ransom. However, the data destruction process can be stopped by implementing Fun ransomware removal.

Pennywise ransomware virus. The malware appends .beep file extension to the encoded data. At the moment, the file-encrypting threat is still under development. It contains evident errors in the source code and does not encode data contrary to the alarms. 

It displays its GUI which includes the picture of Pennywise character from It movie[5]. The note threatens users to delete some of the encoded files after each hour. If a victim tries to turn off the computer or close the GUI, the developer threatens to eliminate 1000 files.

The malware is likely to spread under setup.exe file which suggests that the malware is spread in the disguise of an app. Therefore, pay attention to what and what source you install a new application. It is detectable by the majority of security programs.

.##ENCRYPTED_BY_pablukl0cker## file extension virus manifests quite amusing behavior. Since the emergence of the initial version, it was clear that generating activity is an amusing activity for the developers. This sample also proves such speculation. After the infection process, the malware sprouts multiple pictures taken from well-known movies such as Shrek. Another photo displays a protester wearing Guy Fawkes mask.

The source code of this malware contains the message greeting a “victim”[6]. It informs that all important files are locked. After each hour some of them are deleted. In case the victim fails to remit the payment within 72 hours, all encoded data will be deleted. The perpetrator also alarms the user not to shut down the PC as it will lead to the elimination of 1 000 files. Furthermore, the message indicates for contact purposes. 

The new version is already detectable by the majority of security applications as MSIL:Ransom-BU [Trj], HEUR:Trojan-Ransom.Win32.GenericRansom.Jigsaw.Generic. This version hides under  LoL VIP RP HACK 4.0.exe. VirusTotal, free malevolent URL analysis service also detects another Jigsaw malware variation which functions via executable.3720.exe.  Thus, be mindful of this aspect when you install new programs and new extensions. 

.CryptWalker file extension virus. In January 2018, a new version of Jigsaw emerged. The virus spreads as BitcoinBlackMailer.exe file and once executed on the targeted system, starts data encryption procedure.

The virus locks data with .CryptWalker file extension and threatens to delete files if victims do not pay the ransom. However, security experts recommend to remove .CryptWalker file virus and use a free decryption software for data recovery.

Unique distribution campaign was spotted in December 2016

It seems that the authors of Jigsaw ransomware felt a bit different during the last month of 2016. During the Christmas season, they launched a new technique for the distribution of their virus. This distribution method is closely related to the malicious Bitcoin stealer called Electrum Coin Adder v1.0.

This tool is capable of stealing Bitcoins only by using a certain transaction ID, however, this tool is only a bait for people who want to earn money the easy way.

It appears that Electrum Coin Adder actually installs BTC stealer and also downloads and sets up Jigsaw ransomware on the computer. An interesting fact is that this virus has been using an interesting line in its code – config.ActiveAfterDateTime = new DateTime(2016,12,23).

If you were lucky enough to stay Jigsaw virus-free during Christmas, make sure you are relying on safe browsing practices in 2017 as well because this virus brings only sorrow and stress.

Make sure you have an up-to-date anti-malware tool and don't forget to scan your PC before this date if you have downloaded any suspicious programs, opened questionable email attachments or installed Electrum Coin Adder virus itself!

Malicious spam emails remain the main ransomware distribution method

Jigsaw ransomware has been actively spread with the help of spam. Therefore, you have to be particularly cautious when browsing online and downloading email attachments to your computer. Make sure you avoid clicking on random links, ads and software updates you do not need. The Trojan virus may be hiding behind even the most regular looking advertisements.

Try downloading your software only from the reliable sources and always check it the downloaded application does not contain additional software waiting to be installed on your PC as well. As for the email, you should carefully inspect “Spam” section. Do not open any attachments offering to reclaim won iPhone or another common trophy even if they address you directly.  

Nevertheless, some rogue programs may slip through to your regular inbox as well, so the best option is to obtain a reliable antivirus software to guard you against undesirable programs, including the Jigsaw virus.

Uninstall Jigsaw ransomware virus and get back access to your files

As mentioned before, it is possible to remove Jigsaw virus from the computer and, luckily, to recover the locked files. The security experts have discovered that the locked files do not necessarily have to be bought out and can be decrypted for free[7].

The first thing you should do is go to your Task Manager and kill the firefox.exe and drpbx.exe processes[8]. This should ensure that no more files are deleted from your computer.

Then, run the MSConfig and terminate the firefox.exe startup which initiates the virus. Once the virus startup is terminated, you can use Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus to scan your computer for this malware.

Do not forget to run an extra scan of your system to make sure all of the virus components are completely removed from the computer. Following these steps combined with the Jigsaw removal instructions provided below, should help you to get rid of this treacherous virus safely and without causing damage to your files.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Jigsaw ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Jigsaw ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Jigsaw virus Removal Guide:

Remove Jigsaw using Safe Mode with Networking

To remove Jigsaw ransomware from Windows, you should follow the steps below to reboot your computer to Safe Mode with Networking.Then, run a full system scan and eliminate malicious files.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Jigsaw

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Jigsaw removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Jigsaw using System Restore

To remove ransomware with the help of System Restore, you need to set your computer to the previous date. Then, you should scan the system with anti-spyware software.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Jigsaw. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Jigsaw removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Jigsaw from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If you are struggling with the recovery of your files encrypted by Jigsaw ransomware, you should take a look at our bonus instructions. Please, do NOT pay the ransom because there is no guarantee that hackers will give you the key that you need in exchange for your money. To get your files back, you can use one of these options that are free to use.

If your files are encrypted by Jigsaw, you can use several methods to restore them:

Use Data Recovery Pro to restore files encrypted by Jigsaw

Data Recovery Tool is a handy program that offers its help for those who accidentally removed their files or got infected with ransomware. Make sure you follow the setup wizard to use it properly.

Use Windows Previous Versions to recover your files encrypted by Jigsaw

If your files are encrypted by Jigsaw ransomware, you can try to recover them with the help of Windows Previous Versions feature. However, it works only if System Restore feature was enabled before the infection. To check whether this method works for you, follow these steps:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Updated Jigsaw Decrypter

Security experts work hard to help people after infiltration of ransomware virus. That's how such tools as Jigsaw decryptor get unleashed on the Internet. Once you remove Jigsaw from your computer, you can use it to unlock your files. Currently, the decrypter works on files marked with .fun, .kkk, .gws, .porno, .paybtcs, .AFD, .pornoransom, .paymds, .paymts, .payrms, .rss, .btc, .epic, .korea, .pays, .paym, .paymrts, .payransom, .jigsaw and possibly file extensions used by latest JigSaw variants.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Jigsaw and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions


Removal guides in other languages

  • NathanTheWhale

    Hahah, this virus wants to look so scary!

    • Liam_Bane2001

      But these guys sure lack imagination…. Jigsaw virus??? Meh

  • jigsawmaster


  • Lora

    remove from the PC Immediately when you unlock the files! It may lock your files again if you dont!!!