A user got his revenge on the ransomware gang who encrypted his files by hacking their server and releasing the decryption keys for all other victims.
This happened earlier today and involved the Muhstik gang. Muhstik is a recent strain of ransomware that has been active since late September, according to reports [1, 2, 3].
This ransomware targets network-attached storage (NAS) devices made by Taiwanese hardware vendor QNAP. The gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service, according to a security advisory published by the company last week.
After gaining access to the phpMyAdmin installation, Muhstik operators encrypt users' files and save a copy of the decryption keys on their command and control (C&C) server. QNAP files encrypted by Muhstik can be recognized by each file's new ".muhstik" file extension.
Annoyed software dev hacks back
One of the gang's victims was Tobias Frömel, a German software developer. Frömel was one of the victims who paid the ransom demand so he could regain access to his files.
However, after paying the ransom, Frömel also analyzed the ransomware, gained insight into how Muhstik operated, and then retrieved the crooks' database from their server.
Besides releasing the decryption keys, the German developer also published a decrypter that all Muhstik victims can use to unlock their files. The decrypter is available on MEGA [VirusTotal scan], and usage instructions are avaiable on the Bleeping Computer forum.
In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter's availability, advising users against paying the ransom.
Frömel did not want to comment further for this article besides the Pastebin post. A security researcher who saw Frömel's work told ZDNet that he notified authorities and also provided information about the Muhstik gang in the hopes of aiding authorities track down the hackers.