Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Thursday October 10 2019, @02:39AM   Printer-friendly

Muhstik Ransomware Victim Hacks Back, Releases Decryption Keys

Since the end of September, an attacker has been hacking into publicly exposed QNAP NAS devices and encrypting the files on them. This ransomware has been named Muhstik based on the .muhstik extension appended to encrypted files.

The attacker would then demand 0.09 bitcoins, or approximately $700 USD, for a victim to get their files  back.

After paying a ransom of €670, a victim named Tobias Frömel said enough is enough, and hacked back the attacker's command and control server.

Frömel told BleepingComputer that the server contained web shells that allowed him to get access to the PHP script that generates passwords for a new victim. The relevant portion of the PHP script from the command and control server that generates a key and inserts it into the database can be seen below.

Frömel told us that he used the same web shell to create a new PHP file based on the key generator and used it to output the HWIDs, which are unique per victim, and decryption keys for the 2,858 Muhstik victims stored in the database.

The HWIDs and their associated decryption keys were then shared with the victims in BleepingComputer's Muhstik support and help topic and with victims on Twitter. This post includes a link to the keys on Pastebin and a free decryptor uploaded to Mega.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday October 10 2019, @04:57AM

    by Anonymous Coward on Thursday October 10 2019, @04:57AM (#905058)

    Do you believe criminals who have already committed crimes and violated laws will respect the law you refer to?