Attackers Behind Ziggy Ransomware Offer Refunds to Victims

Sunday, April 4th, 2021 | , ,

In a bizarre twist, the threat actors behind the Ziggy ransomware gang announced last week their retirement from the ‘cybercrime business.’ Taking it one step further, the group announced that they will be dispersing refunds to their victims who paid their ransom.

Anyone who paid a ransom to Ziggy would be required to email them with proof of payment calculated in Bitcoin and the computer ID. After that, the money will be returned to the Bitcoin wallet in about two weeks, according to BleepingComputer, who spoke to Ziggy’s administrator.

Apparently, Ziggy was scared straight in early February after law-enforcement takedowns of fellow purveyors of malware like Emotet and the NetWalker ransomware; and added that they were feeling “guilty,” the outlet reported.

On Feb. 7, Ziggy published 922 decryption keys, which, when matched with keys in an accompanying SQL file, would unlock the victims’ files. Ziggy also shared the files with ransomware expert Michael Gillespie, who made a free Ziggy decryption tool for victims to unlock their files.

But as Bleeping Computer pointed out, the timing of the ransom refund announcement is curious. Ziggy said the refund will be calculated based on Bitcoin value on the day of payment. On Feb. 7, the day Ziggy released the decryption keys, the exchange rate for Bitcoin was about 1 BTC to $39,000, just days after, Bitcoin’s value spiked to just under $59,000 per BTC. That difference in value nets Ziggy a tidy little profit, while still technically returning the money.

Ziggy explained to Bleeping Computer they were in a “third-world country” and just trying to make money, adding they were selling their home to finance the refunds.

Share this: