Ransomware hackers want to return Bitcoin — but they’ll keep the change

A yellow arrow surrounded by Bitcoin symbols and a quote from the Ziggy ransomware admin apologising for their crime

Two months after an apparent change of heart, the hacker crew behind the Ziggy ransomware want to refund extorted Bitcoin, reports BleepingComputer.

Ziggy was a straight-forward ransomware campaign which used malware to lock victims’ files until they paid a Bitcoin ransom.

Those targeted received an email containing a step-by-step guide on how to pay up. According to reported copies of the email, the exact size of the Bitcoin payment would depend on how quickly victims responded.

Ziggy ransomware ransom note detailing how to obtain and pay in Bitcoin
Ziggy’s ransom email. Credit: Michael Gillespie

Ziggy was apparently highly prolific. The crew released 922 keys online in February, the implication being that each one represented a different victim.

According to a Telegram message shared by BleepingComputer, the extortionists revealed they’d be shutting down their operations last month.

“Hi. I am the Ziggy ransomware administrator. We decided to publish all decryption keys. We are very sad about what we did. As soon as possible, all the keys will be published in this channel,” reads the message.

Ziggy hackers in line to profit even after Bitcoin refunds

It’s likely that something other than a sense of regret led to the Ziggy crew’s purported conscience. As noted by BleepingComputer, authorities recently shut down a larger botnet operation with serious consequences for those involved.

But while Ziggy may be handing out decryption keys and returning extorted Bitcoin, they still stand to make a tidy profit as a result of their conditions.

  • The scammers are offering to refund the value of the ransom when it was paid, rather than the raw amount of BTC extorted.
  • Bitcoin currently trades for over $56,000 after rising for months — it’s 40% above where it traded just weeks ago.
  • This means Ziggy’s masterminds could walk away with a substantial profit even after the “refunds.”

To get back their Bitcoin, the Ziggy crew says victims need to email [email protected] with proof of their Bitcoin payment and the funds will be deposited within two weeks.

However, Protos advises caution when interacting with that email address, whether you’re a victim or otherwise.

[Read more: UK law funnels Bitcoin to ransomware gangs, says expert]

While there’s many reports of individuals getting hit by Ziggy, hackers have forced a surprisingly large number of major companies into paying Bitcoin ransoms over the past two years.

Last year, Travelex paid $2.3 million to regain control of its networks and smartwatch maker Garmin handed over millions in crypto to recover files held by hacking crew Evil Corp.

Join our newsletter and get crypto news in your inbox

Newsletter

© 2021 Protos