Ziggy Ransomware Hackers Refund Victims Their Ransom Payments

139
SHARE

On February 6th the Ziggy ransomware group announced the end of their hacking operation. More than a month after shutting down operations, Ziggy ransomware administrators announced they will refund their victims. On March 19th the group announced their decision to give the ransoms back.

M. Shahpasandi, who identifies himself on Twitter as a security researcher, communicated with Bleeping Computer. He claims the group decided to give back their ill-gotten gains.

Bleeping Computer reported the Ziggy ransomware administrator explained the hacker(s) live in a “third-world country” and created the lockers with financial motives.

Signup for the USA Herald exclusive Newsletter

The anonymous group administrator says they feel “sad” for their crimes. And they “decided to publish all decryption keys” so their victims could unlock their systems.

They made good on the first promise, on February 7, giving out an SQL file with 922 decryption keys. The victims were able to unlock the files infected by the ransomware.

Due to a change of heart, the group provided Ziggy victims with a decryption tool which makes it easier to unlock systems. Additionally, they received the source code for a decryptor which does not need an internet connection to work. Allowing the victims to clean up their systems offline.

So far their communications have been short and to the point. And despite the fact they feel “sad” they had to be concerned the authorities were closing in on them. Emotet and Netwalker ransomware hackers were hit by law enforcement in cooperative efforts of international cybercrime units. They were both much larger than Ziggy.

Closing operations followed by giving the money-back 

The “administrator” was quiet for a little over a week. Then on March 28th, he announced the group was ready to return the ransom payments.

Victims need to contact the admin at this email address: [email protected]. After sending proof of their bitcoin payments along with the computer ID, the money would be returned to the victim’s bitcoin wallet in about two weeks.

Initially, ransomware victims get a ransom note with instructions on how to contact cyber criminals to pay. Bitcoin was the typical mode of payment.

Hackers Still Make Despite Ransom Return

Bitcoin price has been on the rise for three months. Last month when the ransomware keys went public, the Bitcoin price was about $39,000.

Today the price is floating around $55,000. And before the first announcement, the Bitcoin price hit an all-time high above $61,000. Given the price difference, the admin makes a profit at the current Bitcoin price.

Even with the return of the ransom, the Ziggy hackers should make a hefty profit. 

So far their communications have been short and to the point. And despite the fact they feel “sad” they had to be concerned the authorities were closing in on them. Emotet and Netwalker ransomware hackers were hit by law enforcement in cooperative efforts of international cybercrime units. They were both much larger than Ziggy.

Ziggy is not the first to close down operations. The UK-based Fonix operators also put aside their cyber weapons and gave their victims a master decryption key, in late January.