Muhstik Ransomware Victim Hacks Back, Releases Decryption Keys
Since the end of September, an attacker has been hacking into publicly exposed QNAP NAS devices and encrypting the files on them. This ransomware has been named Muhstik based on the .muhstik extension appended to encrypted files.
The attacker would then demand 0.09 bitcoins, or approximately $700 USD, for a victim to get their files back.
After paying a ransom of €670, a victim named Tobias Frömel said enough is enough, and hacked back the attacker's command and control server.
Frömel told BleepingComputer that the server contained web shells that allowed him to get access to the PHP script that generates passwords for a new victim. The relevant portion of the PHP script from the command and control server that generates a key and inserts it into the database can be seen below.
Frömel told us that he used the same web shell to create a new PHP file based on the key generator and used it to output the HWIDs, which are unique per victim, and decryption keys for the 2,858 Muhstik victims stored in the database.
The HWIDs and their associated decryption keys were then shared with the victims in BleepingComputer's Muhstik support and help topic and with victims on Twitter. This post includes a link to the keys on Pastebin and a free decryptor uploaded to Mega.
(Score: 0) by Anonymous Coward on Thursday October 10 2019, @04:57AM
Do you believe criminals who have already committed crimes and violated laws will respect the law you refer to?