[BreachExchange] Ziggy Ransomware Gang Offers Victims Ransom Refunds

Fri Apr 9 10:20:59 EDT 2021

https://www.databreachtoday.com/ziggy-ransomware-gang-offers-victims-ransom-refunds-a-16354

The now-defunct Ziggy ransomware gang is reportedly offering to return
the ransoms it collected, but some security experts question whether
the offer is legitimate or a publicity stunt.

Paul Prudhomme, a former U.S. Department of Defense analyst who's now
a cyberthreat adviser with IntSights, notes there is no way to tell
for certain that the gang is, in fact, returning the money. And even
if it does, the gang says it will return what it originally stole in
bitcoin based on the value of the digital currency at the time.

"I would note that, due to the increase in bitcoin's value since Ziggy
went offline, Ziggy operators would still be keeping a profit, since
they are returning ransom amounts based on their previous value in
fiat currency at the time," Prudhomme says.

The value of a bitcoin has almost doubled since Jan. 1, hitting about
$57,000 as of Wednesday, according to Coindesk.

Security researcher Mohammad Shahpasandi found and then tweeted the
post that announced the Ziggy gang's refund policy, which only
requires a victim to email the gang the ransom receipt they received
to receive their money back.

The Experts Weigh In

Frank Downs, a former U.S. National Security Agency offensive threat
analyst who's now a director at the security firm BlueVoyant, says
that so far, he has not heard of any companies taking up Ziggy's
offer. He warns, however, that criminals have used similar tactics in
the past to prolong and solidify their relationships with victims.

Mike Hamilton, a former vice-chair of the Department of Homeland
Security's State, Local, Tribal, and Territorial Government
Coordinating Council, calls the move a publicity stunt.

"The 'refunds' are probably being given to recent victims for the sake
of optics," says Hamilton, who is now the CISO of CI Security. "It is
not likely that this will stave off law enforcement action, but it may
delay it."

Ziggy's Recent History

In February, the Ziggy gang announced it was exiting the ransomware
business, citing remorse over its actions and a fear of being arrested
and prosecuted. At the time, it released 922 decryption keys to help
its victims decrypt their files.

"I am not aware of any precedent for ransomware operators returning
ransom payments to victims after going out of business," Prudhomme
says. "Some ransomware operators do, however, release decryption tools
for their ransomware, but only because they are moving to a new
ransomware payload and want to force their affiliates and associates
to buy into their new ransomware."

Downs also doubts the Ziggy gang's altruism, pointing out the supposed
"refunds" do not include reimbursement for other expenses incurred by
the victims due to the attacks.

"For many victims, the damage is done as they have been unable to
access the encrypted data for months at this point," he says.

Avoiding the Law

The Ziggy gang "is most likely badly mistaken if it believes releasing
the decryptor keys and refunding ransoms will convince law enforcement
to leave them alone," Downs says. "I do not think it matters what the
true motives and practical outcomes of these 'refunds' are - I highly
doubt it would change the penalties that these hackers would
experience, should they be caught."

Prudhomme, however, is willing to give the Ziggy gang some credit for
making the right choice and leaving its criminal behavior behind. He
says the takedowns of other ransomware gangs by the police may have
convinced the Ziggy gang to see the error of its ways.

"They might have concluded that the tide was changing and that they
were better off on the other side," Down says. "Some criminals are
gray hats who operate in both criminal circles and legitimate security
work, and they might change their priorities based on circumstances."

Individuals suspected of being affiliates of the Egregor
ransomware-as-a-service operation were arrested in Ukraine in
February. The FBI warned that Egregor and its affiliates claimed to
have compromised approximately 150 corporate networks in the U.S. and
other countries. According to cybersecurity firm Group-IB, some of the
gang's ransom demands were as high as $4 million (see: Suspected
Egregor Ransomware Affiliates Busted in Ukraine).