White-hat hacks Muhstik ransomware gang and releases decryption keys

ZDnet posted an article about a fantastic example of the white hacks striking back. Long story short, a white hat hacked back and posted the decryption keys for a ransomware varient. The original post by ZDnet can be found HERE.

A user got his revenge on the ransomware gang who encrypted his files by hacking their server and releasing the decryption keys for all other victims.

This happened earlier today and involved the Muhstik gang. Muhstik is a recent strain of ransomware that has been active since late September, according to reports [1, 2, 3].

This ransomware targets network-attached storage (NAS) devices made by Taiwanese hardware vendor QNAP. The gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service, according to a security advisory published by the company last week.

After gaining access to the phpMyAdmin installation, Muhstik operators encrypt users’ files and save a copy of the decryption keys on their command and control (C&C) server. QNAP files encrypted by Muhstik can be recognized by each file’s new “.muhstik” file extension.

Annoyed software dev hacks back

One of the gang’s victims was Tobias Frömel, a German software developer. Frömel was one of the victims who paid the ransom demand so he could regain access to his files.

However, after paying the ransom, Frömel also analyzed the ransomware, gained insight into how Muhstik operated, and then retrieved the crooks’ database from their server.

“I know it was not legal from me,” the researcher wrote in a text file he published online on Pastebin earlier today, containing 2,858 decryption keys.

“I’m not the bad guy here,” Frömel added.

Free decryption method now available

Besides releasing the decryption keys, the German developer also published a decrypter that all Muhstik victims can use to unlock their files. The decrypter is available on MEGA [VirusTotal scan], and usage instructions are avaiable on the Bleeping Computer forum.

In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter’s availability, advising users against paying the ransom.

Frömel did not want to comment further for this article besides the Pastebin post. A security researcher who saw Frömel’s work told ZDNet that he notified authorities and also provided information about the Muhstik gang in the hopes of aiding authorities track down the hackers.

Despite Frömel’s actions being against the law, it’s very unlikely that he’ll be prosecuted for hacking back the Muhstik gang and helping thousands of victims. However, security researchers are advised to work with authorities when hacking back, similar to how Avast worked with French police to take down the Retadup botnet.

This is the third ransomware strain that has been spotted this year targeting NAS devices, after eCh0raix and another unnamed strain targeting Synology devices. A free decrypter was released for eCh0raix victims in August.

Frömel’s quotes have been edited for proper spelling.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.