One of the victims of the Muhstik ransomware gang who initially paid the ransomware, decided to hack back the crooks and released their decryption keys.
Tobias Frömel, is a German software developer, who was a victim of the Muhstik ransomware. Frömel initially paid the ransom to decrypt his files, but later decided to get his revenge on the crooks.
The expert hacked the server used by the Muhstik ransomware gang and released the decryption keys for all the victims of the group.
Attackers first get access to the NAS devices through brute-force attacks on the built-in phpMyAdmin service, then encrypt their content and append the “.muhstik” extension to their filenames.
This ransomware targets network-attacked storage (NAS) devices made by Taiwanese hardware vendor QNAP. The gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service.
“The Muhstik ransomware is reportedly being used to target QNAP NAS devices. Devices using weak SQL server passwords and running phpMyAdmin may be more vulnerable to attacks.” states the security advisory published by QNAP.
“We strongly recommend that users act immediately to protect their data from possible malware attacks.“
The developer published on Pastebin the 2,858 decryption keys found on the hacked server and clarified that he was aware that the hack back is not legal.
“hope you all got that decrypter execution file, if not i still have it and yeah, I know it was not legal from me,” wrote the researcher. “I’m not the bad guy here,”
Frömel also published a decrypter that could be used by the victims of the Muhstik ransomware to unlock their files.
In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter’s availability, advising users against paying the ransom.
According to ZDNet, which first reported the news, Frömel notified authorities and also provided information to track down members of the Muhstik gang.
This case highlights the importance of working with the authorization of law enforcement before conducting hacking back.
The post Developer hacked back Muhstik ransomware crew and released keys appeared first on Security Affairs.