After recently announcing the end of the operation, the administrator of Ziggy ransomware is now stating that they will also give the money back.

It appears that this is a planned move since the admin shared the “good news” a little over a week ago, but gave no details.

Shutdown followed by money-back move

Ziggy ransomware shut down in early February. In a short announcement, the administrator of the operation said that they were “sad” about what they did and that they “decided to publish all decryption keys.”

They followed through the next day, on February 7, offering an SQL file with 922 decryption keys that victims could use to unlock their files.

The admin also made available a decryption tool to make the process easier, along with the source code for a decryptor that does not need an internet connection to work.

On March 19, the Ziggy ransomware administrator said that they also wanted to return the money to the victims that paid the ransom. Today, after a week of silence, the admin said that they were ready to revert payments.

Victims should contact the admin at a given email address ([email protected]) with the proof of their payment in bitcoin and the computer ID, and the money would be returned to the victim’s bitcoin wallet in about two weeks.

Returning the ransom and making a profit

Ransomware victims get a ransom note with instructions on how to contact cybercriminals to negotiate a payment. Typically, the payment is negotiated in fiat but paid in Bitcoin.

Bitcoin price has been on ascending route for the past three months, and its price at the moment of writing is close to $55,000.

On the day Ziggy ransomware decryption keys became public, Bitcoin price was around $39,000. Five days before the admin announced that they would return the money, Bitcoin spiked above $61,000. Given the price difference, the admin makes a profit at the current Bitcoin price.

The Ziggy ransomware administrator told BleepingComputer that they lived in a “third-world country” and that their motivation for creating the locker was financial.

The admin’s recent actions seem to be driven by guilt and the worry that law enforcement might get them, given the disruption of much larger operations like Emotet and Netwalker ransomware.