The Ziggy ransomware industry has locked the release keys of the victims and released them after concerns about recent law enforcement activities and blame for the encryption of victims.
Over the weekend, safety researcher M. Shahpasandi told BleepingComputer that the administrator of Ziggy Ransomware on Telegram had announced that they would discontinue their operation and release all the decryption keys.
In an interview with BleepingComputer, the admin on ransomware said that they created the ransomware to generate money because they live in a ‘third world country’.
After feeling guilty about their actions and concerns about recent law enforcement actions against Emotet and Netwalker ransomware, the driver decided to lock and release all the keys.
Today, the Ziggy ransomware admin posted a SQL file containing 922 decryption keys for encrypted victims. The SQL file contains for each victim three keys needed to decrypt their encrypted files.
The admin on the ransomware also posted a decryptor [VirusTotal] which victims can use with the keys in the SQL file.
In addition to the decoder and the SQL file, the ransomware manager shared the source code for another decoder with BleepingComputer which contains offline decryption keys.
Ransomware infections use offline decryption keys to decrypt the infected victims while they are not connected to the internet, or the command and control service could not be reached.
The ransomware controller also shared these files with ransomware expert Michael Gillespie, who told BleepingComputer that Emsisoft would soon release a decryptor.
“Releasing the keys, whether voluntary or involuntary, is the best possible outcome. This means that in the past, victims can retrieve their data without paying the ransom or using the developer’s decrypter, which leaves a backdoor and / or may contain errors. And, of course, that also means that there is one less ransomware group to worry about. ‘
“The recent arrest of individuals linked to the Emotet and Netwalker operation could cause some actors to get cold feet. If so, we could see more groups quitting and handing over their keys. Fingers crossed,” Brett said. Callow from Emsisoft told BleepingComputer. .
Although the ransomware controller seems to be honest in its intention to lock and unlock the keys, BleepingComputer always suggests waiting for a security company decrypter rather than using one provided by the threat actor provided.
Last week, the Fonix ransomware industry also released keys and decrypts. Ziggy’s administrator told BleepingComputer that they were friends with the Fonix ransomware group and from the same country.