The Week in Ransomware – February 12th 2021


This week we saw another ransomware shut down its operation and a significant attack against Cyberpunk 2077 game developer CD Projekt Red.

Another operation known as Ziggy Ransomware shut down this week and released the decryption keys for victims. This shut down was due to increased concern about law enforcement action after the disruption and arrests in the Netwalker Ransomware operation.

We also saw a major attack against game developer CD Projekt Red from a ransomware group called HelloKitty. During this attack, the threat actors claimed to have stolen the alleged source code for the Witcher 3 and Cyberpunk 2077 games, which threat actors later put up for auction on a hacker forum.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @BleepinComputer, @jorntvdw, @DanielGallagher, @Seifreed, @serghei, @LawrenceAbrams, @malwrhunterteam, @demonslay335, @Ionut_Ilascu, @FourOctets, @malwareforme, @struppigel, @VK_Intel, @PolarToffee, @JakubKroustek, @M_Shahpasandi, @vxunderground, @BrettCallow, @chum1ng0, @Kangxiaopao. @Amigo_A_, @Intel_by_KELA, and @danusminimus.

February 7th 2021

Ziggy ransomware shuts down and releases victims’ decryption keys

The Ziggy ransomware operation has shut down and released the victims’ decryption keys after concerns about recent law enforcement activity and guilt for encrypting victims.

Telegram post

Albany ransomware attack threatens criminal cases

The 2019 ransomware attack on the city’s servers is now potentially affecting criminal cases after it was revealed that the city police department lost all digital copies of its 2018 internal affairs files.

New DarkWorld ransomware

xiaopao found a new ransomware called DarkWorld that appends the .dark extension and drops a ransom note named import.txt.


New Tortoise ransomware

Danus found the new Tortoise Ransomware that appends the .tortoise extension but does not appear to actually encrypt anything.

February 8th 2021

New DaddyCrypt JCrypt variant

xiaopao found a new JCrypt ransomware variant that appends called DarkWorld that appends the .daddycrypt extension and drops a ransom note named _RECOVER__FILES__.daddycrypt.txt.

February 9th 2021

New Dharma…