Ransomware Admin: We’re sorry

In a stunning reversal, the Ziggy admin is now giving ransom money back to victims

Darth Vadar. The Grinch. The Ziggy Admin. What do they all have in common? Once known as infamous agents of villainy, they all experienced one heck of a character arc after seeing the light. What caused this change of heart? It’s difficult to say for sure. Vadar was turned back by the love of a son who chose to believe that there was still good inside of him, while Mr. Grinch was won over by the indomitable spirit of the Whoville residents when he grossly misjudged the source of their joy, causing his attempt to steal Christmas to fail miserably.

And the Ziggy admin? In early February, the cybercriminal operation announced that they were shutting down for good. They shared with Bleeping Computer that they had turned to crime because they lived in a developing country but that they were “very sad” about the crimes they had committed and had decided to release the encryption keys publicly for their victims. They also admitted that they were concerned about legal problems and the possibility of having the same fate as ransomware extortionists Emotet and Cyberwalker, who had recently been raided.

No other information was forthcoming, so it became a waiting game to see if Ziggy would make good on their promise. Many cyber-criminologists remained skeptical. Yet the Ziggy admin was true to their word—sort of. The next day they published the decryptor code, offering an SQL file with 922 decryption keys that victims could use to unlock their files, but they were loaded with malware. In addition to the keys, the admin also published a tool to make the process less complicated, along with the source code for a decryptor that does not need an internet connection to work.

They are not the first hackers to do a 180. Days before, the hacker group known as Fonix (aka Xonix and FonixCrypter) had also made a similar announcement, stating that guilt had finally caught up with them and releasing the decrypter codes would help to alleviate that. And in the past, other groups such as GandCrab, Shade, and TeslaCrypt have also made similar turnarounds.

What makes Ziggy different is that in mid March, they announced that they would be refunding their victims the money paid for the ransom. It was a move that shocked many. Within a week of the unprecedented announcement, they stated they were ready to begin making restitution.

The Ziggy admin told Bleeping Computer that they would begin refunding the ransom in Bitcoin at the rate it was valued on the day that the ransom was paid. Which means they are still making a tidy profit, given the fact that the price of Bitcoin has been ascending the last three months. On the day that Ziggy made the announcement, the price of Bitcoin was around $39,000. Five days later, it had jumped above $61,000.

The Ziggy admin insists though that they are not profiting, and have even had to put their house up for sale to pay for restitution. They also have stated that they are now going to start using their powers for good as “ransomware hunters.”

Maybe it’s not that surprising a move after all. Among cybercriminals, Ziggy was never considered a hardcore bad guy in comparison to others like the aforementioned Emotet, whose actions prompted a joint international strike force coordinated by the Eureopean Union to launch a crackdown that ended with seizing of computers and arrests. Or Egregor, who shut down Translink’s transportation system in Vancouver last year when ransom demands were not met.

Ziggy was more “old fashioned” in their crime sprees. They would encrypt files after hacking into a company’s records, but never actually steal them and threaten to sell them to the public if the ransom wasn’t paid.

So what do we make of all of this? Was it true repentance or a strategically-timed ploy to escape punishment? We can’t really know the heart of a person and this blogger will refrain from passing judgement. In the end, perhaps it’s enough that they’re going to refund the monies ransomed, and trying to be a force of good in the cyberworld.

All we can tell you is that an ounce of prevention is always better than a pound of cure. So if you have any lingering doubts about whether or not you’re protected against a ransomware attack, let us help with a free assessment today. Don’t hope to depend on the kindness of strangers!

If you’ve been the victim of a Ziggy ransomware attack, please reach out to the admin directly at ziggyransomware@secmail.pro with proof of your payment in Bitcoin and computer ID. It’s estimated that you’ll see a refund to your Bitcoin wallet in roughly two weeks.

Image by Gerd Altmann from Pixabay