The Ziggy ransomware gang announced in early February they were getting out of the cybercrime business. Now they say they’re ready to refund their victims’ money.
Anyone who paid a ransom to Ziggy just needs to shoot them an email with proof of payment calculated in Bitcoin and the computer ID. After that, the money will be returned to the Bitcoin wallet in about two weeks, according to BleepingComputer, who spoke to Ziggy’s administrator.
Threatpost reached out to the Ziggy admin and received a response: “Hello dear. Yes, I’m Ziggy ransomware developer. We decided to return victims’ money because we fear law-enforcement action.”
Ransomware Operators Find Their Conscience
Thus, apparently, Ziggy was scared straight in early February after law-enforcement takedowns of fellow purveyors of malware like Emotet and the NetWalker ransomware; and added that they were feeling “guilty,” the outlet reported.
On Feb. 7, Ziggy published 922 decryption keys, which, when matched with keys in an accompanying SQL file, would unlock the victims’ files. Ziggy also shared the files with ransomware expert Michael Gillespie, who made a free Ziggy decryption tool for victims to unlock their files.
Researcher M. Shahpasandi’s noted in a message on Twitter how Ziggy victims can go get their money back.
To all #Ziggy ransomware victims who paid money:
Contact firstname.lastname@example.org for giving your money back.@BleepinComputer @malwrhunterteam @demonslay335 https://t.co/tP0ngMXNyi pic.twitter.com/GNf7icMQiQ
— M. Shahpasandi (@M_Shahpasandi) March 28, 2021
But as Bleeping Computer pointed out, the timing of the ransom refund announcement is curious. Ziggy said the refund will be calculated based on Bitcoin value on the day of payment. On Feb. 7, the day Ziggy released the decryption keys, the exchange rate for Bitcoin was about 1 BTC to $39,000, just days after, Bitcoin’s value spiked to just under $59,000 per BTC. That difference in value nets Ziggy a tidy little profit, while still technically returning the money.
Ziggy’s admin explained that the group is just trying to make money, adding they were selling their home to finance the refunds.
“We spent victims money so this is stupid to return money based on the today bitcoin price.(e.g: If a victims payed 500$ , he/she will get 500$) I sold my house to return victims money,” the admin told Threatpost. “I gonna be ransomware hunter. We have some ideas to create other ransomware(s) decryption tool. There is some ways to recover PHOBOS ransomware victims files without paying money and now I’m working on PHOBOS ransomware free decryption tool. Just looking for a job 🙂 Good luck.”
RIP: Ziggy, Fonix, Emotet
Ziggy’s return to the right side of the line follows vast international law-enforcement operations aimed at dismantling ransomware operations. And they’re not alone. Just days before Ziggy said they were calling it quits, an admin of the ransomware-as-a-service group Fonix said they too were switching sides and had “come to the conclusion we should use our abilities in positive ways to help others,” the announcement said.
— fnx (@fnx67482837) January 29, 2021
A subsequent tweet included an apology and a pledge to launch a site to analyze malware and, “to make up for our mistakes.”
At least we have Special apology for all infected systems users.
To make up for our mistakes , We will launch a malware analyze website soon To use our abilities in positive ways.
"We cannot despair of humanity, Since we ourselves are human begins"
— fnx (@fnx67482837) January 30, 2021
In late January, Emotet was demolished when cops pulled hundreds of servers offline; and police also took Netwalker’s Dark Web leaks site down. At the time, Emotet was the single most prolific malware in the wild, but after it was removed, TrickBot quickly rose to take its place, along with Qakbot and the Ryuk ransomware.
Whether motivated by guilt, fear of prosecution or a desire to use their skills for more legitimate pursuits, the trend is clear: Ransomware affiliates are getting out of the business.
“This incident highlights the success of continued efforts by law-enforcement officials to crack down on ransomware activity,” Ivan Righi, an analyst with Digital Shadows told Threatpost. “While large ransomware operations such as Clop, Sodinokibi and DarkSide are unlikely to be discouraged from continuing to launch attacks, the recent arrests will make cybercriminals think twice before becoming ransomware affiliates.”
Righi added unlocking victims’ files and issuing refunds isn’t really enough to mitigate the harm done to businesses.
“Ziggy has taken a unique approach, releasing a decryption key, offering full refunds on ransom payments, and vouching to become ‘ransomware hunters,'” Righi told Threatpost. “However, while Ziggy may return the ransom payments they received and release decryptors, the damage has likely already been done and victims who suffered lengthy downtimes due to their operations are unlikely to fully recover from their losses.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)