After recently announcing the end of the operation, the administrator of Ziggy ransomware is now pledging to give their ransom generated money back. BleepingComputer says that it appears that this is a planned move since the admin shared the "good news" a little over a week ago but gave no details. Ziggy ransomware ceased operations in early February. In a brief announcement, the administrator of the operation said that they were “sad” about what they did and that they “decided to publish all decryption keys.” The Ziggy ransomware first appeared at the end of 2020, and encrypts its victims files using RSA-4096 and AES-256 GCM, and adds the extension ".id=[].email=[].ziggy".[1]
Ziggy followed through on 7 February 2021, offering an SQL file with 922 decryption keys that victims could use to unlock their files.[2] The admin also made available a decryption tool to make the process easier, along with the source code for a decryptor that does not need an internet connection to work.[3]
Figure 1. SQL file - decryption keys (screen shot)
Then on 19 March, the Ziggy ransomware administrator said that they also wanted to return the money to the victims that paid the ransom. Today, after a week of silence, the admin said that they were ready to return payments. Victims should contact the admin at a given email address (ziggyransomware@secmail.pro) with the proof of their payment in Bitcoin and the computer ID, and the money would be returned to the victim’s bitcoin wallet in about two weeks. Is Ziggy having remorse, or being forced to provide a ‘refund?’
Returning the ransom and making a profit. Ransomware victims typically get a ransom note with instructions on how to contact cybercriminals to negotiate a payment. Typically, the payment is negotiated in agreement but paid in Bitcoin. Bitcoin price has been on ascending route for the past three months, and its current price is close to $55,000USD. On the day Ziggy ransomware decryption keys became public, Bitcoin price was around $39,000. Five days before the admin announced that they would return the money, Bitcoin spiked above $61,000. Given the price difference, the admin makes a profit at the current Bitcoin price. Hmmmm, so there may be no real remorse, as Ziggy still makes a profit. The Ziggy ransomware administrator told BleepingComputer that they live in a “third-world country” and that their motivation for creating the locker was financial. Ziggy Marley, Jamaica?
The admin’s recent actions seem to be driven by guilt and the worry that law enforcement might get them, given the disruption of much larger operations like Emotet and Netwalker ransomware. Either way, victims appear to be getting a reprieve.
Red Sky Alliance has been has analyzing and documenting these type of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are often dusted off and reused in current malicious campaigns – like Ziggy. The best option is to not get stung by ransomware in the first place. Red Sky Alliance can provide actionable cyber intelligence and weekly black lists to help protect your network.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://www.emsisoft.com/ransomware-decryption-tools/ziggy
[2] https://www.bleepingcomputer.com/news/security/ransomware-admin-is-refunding-victims-their-ransom-payments/
[3] https://www.bleepingcomputer.com/news/security/ziggy-ransomware-shuts-down-and-releases-victims-decryption-keys/
Comments