Tag Archive for: Ziggy

Ziggy Ransomware Crew Quits Business, Refunds Victims’ Stolen Money

/in


by D. Howard Kass • Apr 5, 2021

The Ziggy ransomware crew, which ostensibly quit the business in early February 2021 over a fit of remorse, said it will return to their victims the money they’ve extorted merely for an email containing proof of payment.

So, if you’ve paid the cyber crime perps any money in a ransom ploy just calculate the amount in Bitcoin and the computer ID and your money will be shuttled off to the Bitcoin wallet in about two weeks, said Ziggy’s admin, who reportedly has spoken with ThreatPost and BleepingComputer. Bitcoin value on the day of payment would be the basis to calculate the refund.

The Ziggies apparently feared law endorsement repercussions if they continued their cyber kidnappings, the Ziggy rep told Threatpost. “Hello dear. Yes, I’m Ziggy ransomware developer. We decided to return victims’ money because we fear law enforcement action,” the person told Threatpost.

They have a point. In January 2021, international law enforcement and judicial authorities in eight countries dismantled the Emotet botnet, widely regarded as the world’s most dangerous and notorious malware operation, taking it down from the inside by redirecting hundreds of infected machines to a law enforcement environment.

At the same time, the U.S. Justice Department said it had hit the NetWalker ransomware syndicate, which operates as a ransomware-as-a-service model, by seizing nearly $500,000 in cryptocurrency from ransom payments and disabling a dark web hidden resource used to communicate with the gang’s victims. Ziggy’s withdrawal amounts to a victory for law enforcement, which has repeatedly said that an accumulation of indictments and actions to gut hackers’ infrastructure would discourage further attacks.

Ziggy reportedly propagated garden variety ransomware, picking on computers to encrypt files and then demanding a sum of money to reverse their handiwork. The cyber kidnappers evidently didn’t steal files. According to Threatpost, Ziggy has released more than 900 decryption keys, which will unlock the victims’ files. There’s a bit of a catch to the whole thing. Using the sullied money, Ziggy made a couple of bucks. When Ziggy released…

Source…

Ziggy ransomware admin announces refunds for all targeted victims

/in


The administrators of Ziggy ransomware have reportedly decided to lead an honest life and refund the victims of their ransomware attacks. This historic announcement comes a couple of months after the hacker group decided to shut shop and release decryption keys for free.

As admitted by the ransomware’s operators in statements given to the likes of Bleeping Computer and Threatpost, the Ziggy ransomware gang decided to shut shop in February following a string of law enforcement successes against well-established ransomware gangs, notably Emotet and NetWalker. Gripped by the fear of being next, the ransomware gang quickly released an SQL file with 922 decryption keys that could be used by the victims to unlock their files.

Ziggy is an old-fashioned ransomware variant that only encrypts files before putting up a ransom note on targeted systems. Modern ransomware variants also copy data from hijacked files to enable their operators to blackmail victims by threatening to publish stolen files even if the victims successfully decrypt files on their own.

Recently, Bleeping Computer reported that the Ziggy ransomware gang has decided to issue refunds to all victims. All that victims need to do is to send an email to ziggyransomware@secmail[.]pro along with the payment proof and the computer ID. The gang will process the refund to the victim’s bitcoin wallet within two weeks. The admin of Ziggy ransomware also confirmed that the refund will be in Bitcoin at the value on the payment day.

The Ziggy ransomware administrator also told BleepingComputer that they lived in a “third-world country” and had to sell their house off in order to refund the money to their victims. Also, their decision to issue refunds was based on the fear of law enforcement operations targeting their bases. Threatpost received a similar response from the Ziggy admin. “Hello dear. Yes, I’m Ziggy ransomware developer. We decided to return victims’ money because we fear law-enforcement action,” the response read.

Ransomware gangs have made similar promises in the past but it’s best that organisations take their word with a pinch of salt. Last year, after the COVID-19 pandemic engulfed the…

Source…

Ziggy ransomware shuts down and releases victims’ decryption keys

/in


Decryptor

The Ziggy ransomware operation has shut down and released the victims’ decryption keys after concerns about recent law enforcement activity and guilt for encrypting victims.

Over the weekend, security researcher M. Shahpasandi told BleepingComputer that the Ziggy Ransomware admin announced on Telegram that they were shutting down their operation and would be releasing all of the decryption keys.

Shut down announcement by Ziggy admin
Shut down announcement by Ziggy admin

In an interview with BleepingComputer, the ransomware admin said they created the ransomware to generate money as they live in a “third-world country.”

After feeling guilty about their actions and concerns over recent law enforcement operations against Emotet and Netwalker ransomware, the admin decided to shut down and release all of the keys.

Today, the Ziggy ransomware admin posted a SQL file containing 922 decryption keys for encrypted victims. For each victim, the SQL file lists three keys needed to decrypt their encrypted files.

SQL file containing Ziggy decryption keys
SQL file containing Ziggy decryption keys

The ransomware admin also posted a decryptor [VirusTotal] that victims can use with the keys listed in the SQL file.

Ziggy ransomware decryptor
Ziggy ransomware decryptor

In addition to the decryptor and the SQL file, the ransomware admin shared the source code for a different decryptor with BleepingComputer that contains offline decryption keys.

Ransomware infections use offline decryption keys to decrypt victims infected while not being connected to the Internet or the command and control server was unreachable.

Source code for different Ziggy ransomware decryptor
Source code for different Ziggy ransomware decryptor

The ransomware admin also shared these files with ransomware expert Michael Gillespie who told BleepingComputer that Emsisoft would be releasing a decryptor soon.

“The release of the keys, whether voluntarily or involuntarily, is the best possible outcome. It means past victims can recover their data without needing to pay the ransom or use the dev’s decryptor, which could contain a backdoor and/or bugs. And, of course, it also means there’s one less ransomware group to worry about.”

“The recent arrest of individuals associated with the Emotet and Netwalker operation could be causing some actors to get cold feet. If so, we…

Source…