White-hat hacks Muhstik ransomware gang and releases decryption keys

Annoyed victim hacks back ransomware gang and releases all their decryption keys, along with a free decrypter.

Muhstik

Image: ZDNet

A user got his revenge on the ransomware gang who encrypted his files by hacking their server and releasing the decryption keys for all other victims.

This happened earlier today and involved the Muhstik gang. Muhstik is a recent strain of ransomware that has been active since late September, according to reports [1, 2, 3].

This ransomware targets network-attached storage (NAS) devices made by Taiwanese hardware vendor QNAP. The gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service, according to a security advisory published by the company last week.

After gaining access to the phpMyAdmin installation, Muhstik operators encrypt users' files and save a copy of the decryption keys on their command and control (C&C) server. QNAP files encrypted by Muhstik can be recognized by each file's new ".muhstik" file extension.

Annoyed software dev hacks back

One of the gang's victims was Tobias Frömel, a German software developer. Frömel was one of the victims who paid the ransom demand so he could regain access to his files.

However, after paying the ransom, Frömel also analyzed the ransomware, gained insight into how Muhstik operated, and then retrieved the crooks' database from their server.

"I know it was not legal from me," the researcher wrote in a text file he published online on Pastebin earlier today, containing 2,858 decryption keys.

"I'm not the bad guy here," Frömel added.

Free decryption method now available

Besides releasing the decryption keys, the German developer also published a decrypter that all Muhstik victims can use to unlock their files. The decrypter is available on MEGA [VirusTotal scan], and usage instructions are avaiable on the Bleeping Computer forum.

In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter's availability, advising users against paying the ransom.

muhstik-battleck.png

Image: ZDNet

Frömel did not want to comment further for this article besides the Pastebin post. A security researcher who saw Frömel's work told ZDNet that he notified authorities and also provided information about the Muhstik gang in the hopes of aiding authorities track down the hackers.

Despite Frömel's actions being against the law, it's very unlikely that he'll be prosecuted for hacking back the Muhstik gang and helping thousands of victims. However, security researchers are advised to work with authorities when hacking back, similar to how Avast worked with French police to take down the Retadup botnet.

This is the third ransomware strain that has been spotted this year targeting NAS devices, after eCh0raix and another unnamed strain targeting Synology devices. A free decrypter was released for eCh0raix victims in August.

Frömel's quotes have been edited for proper spelling.

Updated on October 8 to add link to a professional decrypter made by cybersecurity firm Emsisoft.