Ziggy ransomware hackers shut down their operations for fear of being imprisoned; retrieve your information without paying the ransom

The operators of the Ziggy ransomware variant have announced the shutdown of their infrastructure and the publication of decryption keys for all versions of the malware, meaning that victims of this cybercriminal group will be able to regain access to their information without having to make any payment to the hackers. According to cybersecurity expert M. Sjahpasandi, the announcement was made through the hackers’ Telegram channel.

La imagen tiene un atributo ALT vacío; su nombre de archivo es ziggy01.jpg

In this communication channel Ziggy’s main administrator mentioned that they created the malware as a way to generate revenue in a third-world country that was not named. On their decision, the alleged hacker mentions that, in addition to beginning to feel guilty about these actions, they thought about the actions taken by law enforcement agencies against other ransomware groups and concluded that it was best for them to stop operating the malware.

As mentioned above, the malware operator published a SQL file, with almost a thousand decryption keys corresponding to each victim of this attack. Each infected system requires three keys, so it is estimated that there are between 300 and 350 victims of the Ziggy ransomware.

La imagen tiene un atributo ALT vacío; su nombre de archivo es ziggy02.jpg

Malware operators also released a decryption tool to fully regain access to affected systems. The tool is available in VirusTotal.

La imagen tiene un atributo ALT vacío; su nombre de archivo es ziggy03.jpg

Additionally, the operator also announced the publication of the source code of a second decryption tool containing additional keys, also known as “offline” keys. Offline keys are used to decrypt ransomware-infected systems that do not have an internet connection or cannot connect to the hackers’ C&C server correctly.

La imagen tiene un atributo ALT vacío; su nombre de archivo es ziggy04.jpg

Finally, Ziggy administrators shared some of their files with Michael Gillespie, a renowned ransomware researcher, who in turn created a decryption tool using the keys published by the hackers.

La imagen tiene un atributo ALT vacío; su nombre de archivo es ziggy05.jpg

Although the intentions of the creator of this ransomware appear to be legitimate, cybersecurity experts recommend that victims use the decryption tools created by security firms: “The release of this information is great news for victims as they will be able to retrieve their information without paying a ransom or employing the decryption tools of the hackers, which might contain additional malware or even a backdoor,” Gillespie says.

This is not the only hacking group that has made a similar decision. A few days ago the operators of the Fonix ransomware also decided to close their trades and publish the decryption keys; it is mentioned that Emotet, an allied ransomware group, will make the same decision soon. Experts believe this is due to actions taken against operators of other variants such as Emotet and Netwalker.