The Ziggy ransomware gang has announced that they will refund the money they extorted from their victims.
According to an administrator for the ransomware gang, in a comment to computer news website BleepingComputer, previous victims can send them an email along with proof of payment and a computer ID. The hackers will then return funds to their Bitcoin wallet within two weeks.
However, experts have noted that Ziggy will still be able to make a profit from its actions by manipulating fluctuations in the value of Bitcoin. Part of the deal is that they will refund money based on the value of Bitcoin on the date the payment is made.
With Bitcoin having roughly doubled in value since January, anyone who paid, for example, one bitcoin at the start of February, when it was worth around $30,000, would only receive half a bitcoin now, with Ziggy taking the proceeds.
In their statement, the Ziggy hackers claimed they were selling their homes to afford the refunds.
The Ziggy ransomware was a relatively unsophisticated and outdated form of ransomware. Most modern ransomware attacks not only encrypt data but copy it, allowing the hackers to blackmail companies with a potential data leak. Ziggy merely encrypted data before demanding a ransom to decrypt the data.
The team behind the Ziggy ransomware attacks shut down their operations in February this year. In doing so, they also released around 1000 decryption keys for people to use on encrypted data. With each infection requiring three keys, this suggests there are over 300 victims of the Ziggy ransomware.
They also released a decryption tool, VirusTotal, to allow full access to affected systems, though the tool is often flagged as being malware itself. As such, using a reliable decryption tool is far safer, to avoid any malware or backdoors that may have been added to ones provided by cybercriminals.
As part of their move out of ransomware, Ziggy shared files with ransomware expert Michael Gillespie, who in turn created a free decryption tool for Ziggy victims to unlock their files.
- Scot-Secure 2021 | Understanding cybersecurity threat actors
- NCSC CEO warns against becoming complacent in cybersecurity
- Visa cryptocurrency plan pushes Bitcoin prices up
The announcement was made over Telegram, with a self-described administrator for Ziggy stating “we are very sad about what we did”. They noted that their motivation had been to raise money while living in a third-world country.
However, their move came soon after law enforcement took action against similar ransomware groups, such as the Emotet takedown, making them conclude it was best to stop their operations.
Despite the reported rise of ransomware and other cyber attacks over 2020 and 2021, things have not always been going cyberattackers ways. Large scale police operations have not only disrupted Emotet but other major cybercrime groups including Trickbot and Netwalker.
Ziggy are not alone in deciding to get out while they are ahead – ransomware as a service group Fonix have also said that they were going to stop, having “come to the conclusion we should use our abilities in positive ways to help others,” the group said.