Do you want to play a game?

You may know those words from the movie Saw but unfortunately the Billy the Puppet is back by way of newly discovered ransomware.

Dubbed JIGSAW or BitcoinBlackmailer.exe, the ransomware distinguishes itself from traditional forms of ransomware by setting a very tight deadline for Bitcoin ransom payment, and to make matters worse issues multiple warnings to those infected along the way, or as DarkReading describes it “akin to how a thriller builds on suspense, fear, and horror, JIGSAW builds pressure on the victim with multiple warnings to pay the ransom or lose his or her data.”

According to Trend Micro, Inc., JIGSAW arrives as a file downloaded from a free cloud storage service named 1fichier[.]com, or from pornography sites.

Once the ransomware is installed a user is greeted by an image of Billy, and the ransom note.

The message comes in two languages: English or Portuguese; the note itself introduces the idea of exponential growth and applies it on the user’s file and the ransom amount by starting to delete files by the hour while increasing the ransom.

“Users may be pressured into paying the ransom so they may either save the remaining files or avoid paying a larger ransom. The least amount the user can pay is US$20-150,” the report notes.

After 72 hours and the ransom hitting $150, payable in Bitcoin, all of the files on the target computer are deleted.

If that’s not bad enough, users who turn off their computer to stop the attack are punished with having 1,000 files deleted when they turn the computer back on.

New low

“Using horror movie images and references to cause distress in the victim is a new low,” Forcepoint, Inc. Head of Special Investigations Andy Settle said in a blog post.

“The depths the author has gone to, with real-time scrolling text, countdown timer, increasing ransom amount and the horror associations, plays on the mind of those who may have seen the movie or even those who are vulnerable or of a nervous disposition.”

While the ransomware itself by have sunk to new depths, the people behind it turned out to have better imaginations than they had coding skills, with the infection itself fairly easy to detect and overcome, with the decryption key left in the source code, along with a list of 100 Bitcoin wallets that are used by the program to funnel funds back; suffice to say these addresses are now being spread throughout both the Bitcoin and security industries to assist in shutting them down.

Image credit: Trend Micro.