The Ziggy ransom business has closed and released the victims’ decryption keys after concerns about recent police authorities and guilt for encrypting victims.
Over the weekend, security researcher M. Shahpasandi told BleepingComputer that the Ziggy Ransomware administrator announced on Telegram that they would shut down operations and release all the decryption keys.
In an interview with BleepingComputer, the ransomware administrator said that they created ransomware to generate money since they live in a “third world country.”
After feeling guilty about their actions and concerns about recent police actions against Emotet and Netwalker ransom, the administrator decided to turn off and release all the keys.
Today, the Ziggy ransomware administrator released an SQL file containing 922 decryption keys for encrypted victims. For each victim, the SQL file shows three keys needed to decrypt the encrypted files.
The ransomware administrator also released a decryptor [VirusTotal] which victims can use with the keys listed in the SQL file.
In addition to the decryptor and the SQL file, the ransomware administrator shared the source code of another decryption device with BleepingComputer that contains offline decryption keys.
Ransomware infections use disconnected decryption keys to decrypt victims who are infected while not connected to the Internet or the command and control server were unavailable.
The ransomware administrator also shared these files with ransomware expert Michael Gillespie, who told BleepingComputer that Emsisoft would soon release a decryption program.
“The release of the keys, either voluntarily or involuntarily, is the best possible outcome. This means that previous victims can recover their data without having to pay a ransom or use the devs decryption program, which may include a backdoor and / or error. Of course, this also means that there is a smaller ransomware group to worry about. “
“The recent arrest of individuals linked to the Emotet and Netwalker operation could lead to some actors getting cold feet. In that case, we can see more groups stopping operating and handing over the keys. Fingers crossed,” Emsisoft’s Brett Callow told BleepingComputer . .
While the ransomware administrator seems to be honest in his intent to turn off and release the keys, BleepingComputer always suggests waiting for a security company decryption system instead of using one provided by the threat actor.
Last week, the Fonix ransomware operation also shut down, releasing keys and decryption. The Ziggy administrator told BleepingComputer that they are friends with the Fonix ransomware group and are from the same country.