News

Programmer hacked Muhstik ransomware server and issued decryption keys

The German programmer avenged the Muhstik ransomware group, which encrypted its files, by hacking their server and issuing decryption keys for all the other victims.

This cyber vendetta happened on October 7 in the morning and was linked to Muhstik. Muhstik is reportedly a relatively fresh ransomware software strain that has been active since late September.

This ransomware is designed to crack network-attached storage (NAS) made by Taiwanese hardware supplier QNAP. According to a security post released by the company last week,

“the gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service”, — reports QNAP security service.

After gaining access to the phpMyAdmin installation, Muhstik operators encrypt user files and save a copy of the decryption keys on their C&C server for management and control (C & C). Muhstik encrypted QNAP files are identified by the .muhstik extension.

One of the victims of the gang was Tobias Frömel, a German software developer. Frömel paid the ransom required by cybercriminals to turn down access to their files.

However, having paid the ransom and receiving the key, Tobias Frömel analyzed the methods of the ransomware, understood how Muhstik works, and then received a database of scammers from his server.

“I know it was not legal from me, but I’m not the bad guy here”, – the researcher wrote in a text file that he published today on the Pastebin website. File contains 2858 decryption keys.

In addition to issuing decryption keys, the German developer also published a decryptor that all Muhstik victims can use to unlock their files.

The decoder is available on MEGA [VirusTotal scan], and instructions for use are now available on the Bleeping Computer forum.

Read also: Muhstik Ransomware was hacked. Free keys for 2858 Muhstik victims

Tobias Frömel meanwhile informed the ransomware victims, notified the victims of the Muhstik ransomware on Twitter about the availability of the decryptor, advising users never pay the ransom.

Although Fremel’s actions are not entirely legal, it’s unlikely that he will be prosecuted for breaking into cybercriminal servers and helping thousands of victims. However, security researchers are advised to collaborate with the authorities on hacking, similar to how Avast worked with the French police to destroy the Retadup botnet.

This is the third ransomware strain discovered this year for NAS devices, after eCh0raix and another nameless strain for Synology devices. Recall that in August a free decryptor for victims of eCh0raix was released.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

Recent Posts

Remove Kurlibat.xyz pop-up ads (Virus Removal Guide)

Kurlibat.xyz is a site that tries to trick you into clik to its browser notifications…

17 hours ago

Remove Initiateintenselyrenewedthe-file.top pop-up ads (Virus Removal Guide)

Initiateintenselyrenewedthe-file.top is a domain that tries to trick you into clik to its browser notifications…

17 hours ago

Remove Wotigorn.xyz pop-up ads (Virus Removal Guide)

Wotigorn.xyz is a site that tries to force you into subscribing to its browser notifications…

17 hours ago

Remove Initiateintenselyprogressivethe-file.top pop-up ads (Virus Removal Guide)

Initiateintenselyprogressivethe-file.top is a domain that tries to force you into clik to its browser notifications…

17 hours ago

Remove Nuesobatoxylors.co.in pop-up ads (Virus Removal Guide)

Nuesobatoxylors.co.in is a domain that tries to trick you into subscribing to its browser notifications…

21 hours ago

Remove Helistym.xyz pop-up ads (Virus Removal Guide)

Helistym.xyz is a site that tries to force you into clik to its browser notifications…

21 hours ago