Programmer hacked Muhstik ransomware server and issued decryption keys

The German programmer avenged the Muhstik ransomware group, which encrypted its files, by hacking their server and issuing decryption keys for all the other victims.

This cyber vendetta happened on October 7 in the morning and was linked to Muhstik. Muhstik is reportedly a relatively fresh ransomware software strain that has been active since late September.

This ransomware is designed to crack network-attached storage (NAS) made by Taiwanese hardware supplier QNAP. According to a security post released by the company last week,

“the gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service”, — reports QNAP security service.

After gaining access to the phpMyAdmin installation, Muhstik operators encrypt user files and save a copy of the decryption keys on their C&C server for management and control (C & C). Muhstik encrypted QNAP files are identified by the .muhstik extension.

One of the victims of the gang was Tobias Frömel, a German software developer. Frömel paid the ransom required by cybercriminals to turn down access to their files.

However, having paid the ransom and receiving the key, Tobias Frömel analyzed the methods of the ransomware, understood how Muhstik works, and then received a database of scammers from his server.

“I know it was not legal from me, but I’m not the bad guy here”, – the researcher wrote in a text file that he published today on the Pastebin website. File contains 2858 decryption keys.

In addition to issuing decryption keys, the German developer also published a decryptor that all Muhstik victims can use to unlock their files.

The decoder is available on MEGA [VirusTotal scan], and instructions for use are now available on the Bleeping Computer forum.

Read also: Muhstik Ransomware was hacked. Free keys for 2858 Muhstik victims

Tobias Frömel meanwhile informed the ransomware victims, notified the victims of the Muhstik ransomware on Twitter about the availability of the decryptor, advising users never pay the ransom.

Although Fremel’s actions are not entirely legal, it’s unlikely that he will be prosecuted for breaking into cybercriminal servers and helping thousands of victims. However, security researchers are advised to collaborate with the authorities on hacking, similar to how Avast worked with the French police to destroy the Retadup botnet.

This is the third ransomware strain discovered this year for NAS devices, after eCh0raix and another nameless strain for Synology devices. Recall that in August a free decryptor for victims of eCh0raix was released.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Ragnar Locker and Virtual Machines

Ragnar Locker ransomware uses virtual machines to hide their actions

Sophos specialists found that Ragnar Locker malware operators use Oracle VirtualBox and virtual machines running …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.