The administrators of Ziggy ransomware have reportedly decided to lead an honest life and refund the victims of their ransomware attacks. This historic announcement comes a couple of months after the hacker group decided to shut shop and release decryption keys for free.
As admitted by the ransomware's operators in statements given to the likes of Bleeping Computer and Threatpost, the Ziggy ransomware gang decided to shut shop in February following a string of law enforcement successes against well-established ransomware gangs, notably Emotet and NetWalker. Gripped by the fear of being next, the ransomware gang quickly released an SQL file with 922 decryption keys that could be used by the victims to unlock their files.
Ziggy is an old-fashioned ransomware variant that only encrypts files before putting up a ransom note on targeted systems. Modern ransomware variants also copy data from hijacked files to enable their operators to blackmail victims by threatening to publish stolen files even if the victims successfully decrypt files on their own.
Recently, Bleeping Computer reported that the Ziggy ransomware gang has decided to issue refunds to all victims. All that victims need to do is to send an email to ziggyransomware@secmail[.]pro along with the payment proof and the computer ID. The gang will process the refund to the victim’s bitcoin wallet within two weeks. The admin of Ziggy ransomware also confirmed that the refund will be in Bitcoin at the value on the payment day.
The Ziggy ransomware administrator also told BleepingComputer that they lived in a “third-world country” and had to sell their house off in order to refund the money to their victims. Also, their decision to issue refunds was based on the fear of law enforcement operations targeting their bases. Threatpost received a similar response from the Ziggy admin. “Hello dear. Yes, I’m Ziggy ransomware developer. We decided to return victims’ money because we fear law-enforcement action,” the response read.
Ransomware gangs have made similar promises in the past but it's best that organisations take their word with a pinch of salt. Last year, after the COVID-19 pandemic engulfed the world, several hacking groups committed that they wouldn't target healthcare organisations. The DoppelPaymer gang was the first to mention that they do not target hospitals and nursing homes normally and will do the same during the global crisis. The group stated that in case if a medical organisation gets hacked, the victim can contact them on their email or Tor webpage to provide proof and get a decryptor.
While DoppelPaymer stated that they do not target healthcare organisations like hospitals and nursing homes as a principle, the operators of Maze also said that “we also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus.”
However, despite the claims of these hacker groups, healthcare organisations will do well to ignore such statements and continue to strengthen their cyber defences no matter how busy they are with medical emergencies. Recently, the U.S. Health and Human Services Department suffered a DDoS attack aimed at slowing down the agency’s operations in the middle of the COVID-19 outbreak in the country.
Commenting on the promises made by the Ziggy ransomware gang, Ed Macnair, CEO of Censornet, told Teiss that it’s very unusual for hackers to offer a refund after strong-arming victims into paying a ransom. Burglars don’t tend to hand back money after stealing someone’s jewellery and neither do ransomware attackers.
“This offer should be treated with absolute caution. After damaging potentially thousands of organisations I’m not sure if the administrators of Ziggy ransomware will be earning the trust of anyone anytime soon. When an attacker makes an apparently kind-hearted gesture like this and asks for bank details, there’s a chance they are planning to cause more pain. Don’t fall for follow-up attacks,” he added.