This old ransomware has been revamped as Bitcoin-stealing malware

Jigsaw appears to be back with new malicious intentions, and a simple but effective trick to go after cryptocurrency.
Written by Danny Palmer, Senior Writer

Video: Blockchain explained: Here's how it works and why it might change how you buy anything

An old form of ransomware has been repurposed to steal Bitcoin by altering the addresses of wallets and redirecting payments into accounts owned by the attacker.

Little of the malicious code has been changed so a number of security products will still identify it as the same file-locking malware, despite the version's new tactic of stealing cryptocurrency.

Detailed by researchers at Fortinet, the Bitcoin-stealing campaign has its origins in Jigsaw -- a form of ransomware which appeared in April 2016, which was infamous for displaying the face of horror film protagonist it was named after.

The source code of Jigsaw has been available for a long time and is widely distributed online, so the attack is unlikely to be the work of the original ransomware author, as anyone with knowledge of C# code could theoretically tailor the malware to their own ends.

In this instance, the author is looking to take advantage of the popularity of blockchain-based Bitcoin, still by far the most valuable cryptocurrency.

The code refers simply refer to the malware as 'BitcoinStealer' -- although the name can only be uncovered by reverse-engineering, so victims will never see this giveaway of the software's intentions.

The main goal of the malware is to modify the clipboard content of Bitcoin wallets so that the currency within ends up in the hands of the attackers.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

While common sense might indicate that users would notice that the Bitcoin address has changed, BitcoinStealer replaces the legitimate address with a forged one -- but this forged address has similar or the same symbols at the beginning and end of the string, in order to trick the user into believing it is their intended address.


Address spoofing used to redirect Bitcoin payments.

Image: Fortinet

Researchers say that these attacks have successfully stolen at least 8.4 Bitcoin, which currently works out at around $62,000 (£48,000). So while the attack is basic, it seems to be effective.

During the course of its investigation into the malware, Fortinet uncovered similar projects for building and modifying cryptocurrency stealers being advertised on underground forums.

This episode goes to show that even the most basic cyber attacks can result in a big loss for victims. Bitcoin users should always double-check to see if they're sending payments to the right address.

Recent and related coverage

Phishing scam claims to deliver WannaCry, demands bitcoin ransom

While the message claims it will encrypt data if you don't pay up, the threat is an empty one.

Blockchain and bitcoin in the spotlight as government launches digital currencies inquiry

'It is time that Whitehall and Westminster understood cryptocurrency better,' says Treasury Committee on launch of inquiry -- which aims to examine how to prevent bitcoin-related crime.

Espionage malware snoops for passwords, mines bitcoin on the side

Operation PZChao targets US and Asian organisations with cyber-attacks reminiscent of Iron Tiger -- but this time with the ability to drop trojans, conduct espionage, and mine bitcoin.


Editorial standards