Ziggy Ransomware Gang Offers Victims Ransom RefundsExperts Question Whether the Offer Is Legitimate or a Publicity Stunt
The now-defunct Ziggy ransomware gang is reportedly offering to return the ransoms it collected, but some security experts question whether the offer is legitimate or a publicity stunt.
See Also: The Anatomy of the Solarwinds Attack
Paul Prudhomme, a former U.S. Department of Defense analyst who's now a cyberthreat adviser with IntSights, notes there is no way to tell for certain that the gang is, in fact, returning the money. And even if it does, the gang says it will return what it originally stole in bitcoin based on the value of the digital currency at the time.
"I would note that, due to the increase in bitcoin's value since Ziggy went offline, Ziggy operators would still be keeping a profit, since they are returning ransom amounts based on their previous value in fiat currency at the time," Prudhomme says.
The value of a bitcoin has almost doubled since Jan. 1, hitting about $57,000 as of Wednesday, according to Coindesk.
Security researcher Mohammad Shahpasandi found and then tweeted the post that announced the Ziggy gang's refund policy, which only requires a victim to email the gang the ransom receipt they received to receive their money back.
To all #Ziggy ransomware victims who paid money:
Contact firstname.lastname@example.org for giving your money back.@BleepinComputer @malwrhunterteam @demonslay335 https://t.co/tP0ngMXNyi pic.twitter.com/GNf7icMQiQ— M. Shahpasandi (@M_Shahpasandi) March 28, 2021
The Experts Weigh In
Frank Downs, a former U.S. National Security Agency offensive threat analyst who's now a director at the security firm BlueVoyant, says that so far, he has not heard of any companies taking up Ziggy's offer. He warns, however, that criminals have used similar tactics in the past to prolong and solidify their relationships with victims.
Mike Hamilton, a former vice-chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council, calls the move a publicity stunt.
"The 'refunds' are probably being given to recent victims for the sake of optics," says Hamilton, who is now the CISO of CI Security. "It is not likely that this will stave off law enforcement action, but it may delay it."
Ziggy's Recent History
In February, the Ziggy gang announced it was exiting the ransomware business, citing remorse over its actions and a fear of being arrested and prosecuted. At the time, it released 922 decryption keys to help its victims decrypt their files.
"I am not aware of any precedent for ransomware operators returning ransom payments to victims after going out of business," Prudhomme says. "Some ransomware operators do, however, release decryption tools for their ransomware, but only because they are moving to a new ransomware payload and want to force their affiliates and associates to buy into their new ransomware."
Downs also doubts the Ziggy gang's altruism, pointing out the supposed "refunds" do not include reimbursement for other expenses incurred by the victims due to the attacks.
"For many victims, the damage is done as they have been unable to access the encrypted data for months at this point," he says.
Avoiding the Law
The Ziggy gang "is most likely badly mistaken if it believes releasing the decryptor keys and refunding ransoms will convince law enforcement to leave them alone," Downs says. "I do not think it matters what the true motives and practical outcomes of these 'refunds' are - I highly doubt it would change the penalties that these hackers would experience, should they be caught."
Prudhomme, however, is willing to give the Ziggy gang some credit for making the right choice and leaving its criminal behavior behind. He says the takedowns of other ransomware gangs by the police may have convinced the Ziggy gang to see the error of its ways.
"They might have concluded that the tide was changing and that they were better off on the other side," Down says. "Some criminals are gray hats who operate in both criminal circles and legitimate security work, and they might change their priorities based on circumstances."
Individuals suspected of being affiliates of the Egregor ransomware-as-a-service operation were arrested in Ukraine in February. The FBI warned that Egregor and its affiliates claimed to have compromised approximately 150 corporate networks in the U.S. and other countries. According to cybersecurity firm Group-IB, some of the gang's ransom demands were as high as $4 million (see: Suspected Egregor Ransomware Affiliates Busted in Ukraine).