The Ziggy ransomware operation hung up and released the victims’ decryption keys after concerns over recent law enforcement activity and blame for encrypting the victims.
Over the weekend, security researcher M. Shahpasandi told BleepingComputer that the administrator of the Ziggy Ransomware announced on Telegram that it was terminating its operation and would release all decryption keys.
In an interview with BleepingComputer, the ransomware administrator said they created the ransomware to generate money because they live in a “third world country”.
After feeling guilty for his actions and concerns about the recent law enforcement operations against the Emotet and Netwalker ransomware, the administrator decided to close and release all keys.
Today, the administrator of the Ziggy ransomware posted an SQL file containing 922 decryption keys for encrypted victims. For each victim, the SQL file lists three keys needed to decrypt your encrypted files.
The ransomware administrator also posted a decryptor [VirusTotal] that victims can use with the keys listed in the SQL file.
In addition to the decryptor and the SQL file, the ransomware administrator shared the source code of a different decryptor with BleepingComputer which contains offline decryption keys.
Ransomware infections use offline decryption keys to decrypt infected victims while they were not connected to the Internet or the command and control server was inaccessible.
The ransomware administrator also shared these files with ransomware expert Michael Gillespie, who told BleepingComputer that Emsisoft would be releasing a decryptor soon.
“Releasing the keys, voluntarily or involuntarily, is the best possible outcome. This means that previous victims can recover their data without the need to pay the ransom or use the developer’s decryptor, which may contain a back door and / or bugs. And, of course, it also means that there is one less group of ransomware to worry about. “
“The recent arrest of individuals associated with Operation Emotet and Netwalker may be making some actors afraid. If so, we could see more groups disrupting operations and handing over their keys. They crossed their fingers,” Brett Callow of Emsisoft told BleepingComputer.
Although the ransomware administrator appears to be honest in his intention to disconnect and release the keys, BleepingComputer always suggests waiting for a security company’s decryptor instead of using one provided by the threat agent.
Last week, the Fonix ransomware operation also shut down and released keys and decryptor. The Ziggy administrator told BleepingComputer that they are friends with the ransomware group Fonix and are from the same country.