Threat Database Ransomware Pennywise Ransomware

Pennywise Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Ranking: 14,674
Threat Level: 10 % (Normal)
Infected Computers: 301
First Seen: November 3, 2017
Last Seen: September 15, 2023
OS(es) Affected: Windows

The Pennywise Ransomware is a data encryption Trojan that was reported for the first time on October 23rd, 2017. The Pennywise Ransomware appears to be a variant of another well-documented threat dubbed Jigsaw Ransomware, which emerged in April 2016. The Jigsaw family of Trojans has expanded since the original threat was discovered and Pennywise Ransomware is one of the latest iterations among them, which are the HACKED Ransomware and the StrutterGear Ransomware. The new variant was found on an online security platform that malware researchers use to exchange samples, notes, and keep an eye on the latest trends in threat development. The samples of the Pennywise Ransomware available to researchers suggest that the Trojan is still under development. Evidence suggests that the Pennywise Ransomware is in its testing and debug phase. The creators of the Pennywise Ransomware continue to use the image of a scary clown to brand their products. Code analysis revealed that the Pennywise Ransomware is designed to create a folder on the primary system disk — C:\FileSystemSimulation\ — and use the location to load on the system. Lab tests indicate that the threat uses the following files to facilitate its operations:


The Trojan is known to generate a program window that offers the following information to the compromised user:

'Your personal files are being deleted. Your photos, videos, documents, etc...
But, don't worry! It will only happen if you don't comply.
However I've already encrypted your personal files, so you cannot access them.
Every hour I select some of them to delete permanently, therefore I won't be able to access them, either.
If you turn off your computer or try to close me, when I start next time you will get 1000 files deleted as a punishment.
Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you.
Meanwhile..... You want a balloon? Hahahahaha_'

At the time of research, the Pennywise Ransomware is known to target one hundred and twenty-seven file types for encryption. Researchers provided the following lists of targeted data formats:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

As you can see, the Pennywise Ransomware is designed to encrypt standard data formats that regular PC users are likely to be familiar with. The encrypted data is marked with the '.beep' file marker. For example, 'Hawa Mahal - Palace of the Winds.jpeg' is renamed to 'Hawa Mahal - Palace of the Winds.jpeg.beep' and there is no way for the user to decrypt the file, except for paying the cybercrooks. At least that is what the threat is trying to convince compromised users. It is true that the Pennywise Ransomware employs secure encryption mechanisms, but you can boot up a system recovery disk and any type of backup to rebuild your file structure. It is a must to use a reputable anti-malware scanner that can purge the Pennywise Ransomware from your PC safely. AV companies identify the threat as:

  • Generic.MSIL.Ransomware.Jigsaw.5123367C
  • MSIL/Filecoder.JIGSAW!tr
  • Ransom/W32.Jigsaw.672256
  • Ransom_JIGSAW.WD
  • TR/AD.JigsawLocker.adzox
  • Trojan ( 004f21821 )
  • Trojan.Win32.Ransom.672256
  • Trojan/Win32.Ransom.C2210683
  • malicious (moderate confidence)


Most Viewed