The eager-but-pwned net menace behind the JigSaw ransomware has been found targeting Reddit users with multiple malware in a bid to snare victims.

The VXer is thought to be behind three ransomware variants, including the well-known Jigsaw which sports iconography from the Saw film, each lurking behind websites that foist the malware to visitors.

The actor using the handle minercount on a forum had built and sold ransomware on crime forums and deploy it themselves in a successful bid to infect victims.

Attribution is difficult at best, but the Cisco Talos intelligence boffins have laid out their chains of evidence that indicate one scumbag is behind Jigsaw, Ranscam, and the AnonPop ransomware forms.

Scores of low-ranking posts were made to the Bitcoin and related subreddits pointing those who click to the sites which downloaded an AutoIT executable that deployed their ransomware.

One post was made purporting to be a cache of online anonymity tools, including the Tor browser. It contained the actor's ransomware along a guide to the darknet.

The joker even posted a poisoned link to a cryptowallremoval subreddit dedicated to help victims. The irony is that re-encrypting already encrypted files would be a fruitless effort.

Talos blackhat terminators Edmund Brumaghin and Warren Mercer pointed intelligence cannons at the Ranscam ransomware, sifting through domains, code, and posts to reveal the criminal's activities.

"As observed by tracking the activities of the threat actor associated with Ranscam, new versions of this destructive malware are continuing to be developed and used in an attempt to coerce victims into paying out without necessarily requiring the threat actor to invest the resources required to maintain an advanced or stealthy operation," the pair say.

"... while there may be a greater number of distinct destructive ransomware variants targeting systems, this may not directly correlate to a larger number of distinct threat actors operating in the ransomware space.

"A single actor could be responsible for multiple distinct variants in an attempt to maximize their profits, or as they refine their tactics in an attempt to maximize the amount of revenue they collect from victims."

Maintenance of offline backups, an absence of ravaged runtimes like Flash, and an avoidance of dodgy online oubliettes will help net users avoid ransomware and the need to pay ransoms. ®