A user got his revenge on the ransomware gang who encrypted his files by hacking their server and releasing the decryption keys for all other victims.
This ransomware targets network-attached storage (NAS) devices made by Taiwanese hardware vendor QNAP. The gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service, according to a security advisory published by the company last week.
After gaining access to the phpMyAdmin installation, Muhstik operators encrypt users’ files and save a copy of the decryption keys on their command and control (C&C) server. QNAP files encrypted by Muhstik can be recognized by each file’s new “.muhstik” file extension.
Annoyed software dev hacks back
One of the gang’s victims was Tobias Frömel, a German software developer. Frömel was one of the victims who paid the ransom demand so he could regain access to his files.
However, after paying the ransom, Frömel also analyzed the ransomware, gained insight into how Muhstik operated, and then retrieved the crooks’ database from their server.
“I know it was not legal from me,” the researcher wrote in a text file he published online on Pastebin earlier today, containing 2,858 decryption keys.
“I’m not the bad guy here,” Frömel added.
Free decryption method now available
Besides releasing the decryption keys, the German developer also published a decrypter that all Muhstik victims can use to unlock their files. The decrypter is available on MEGA [VirusTotal scan], and usage instructions are avaiable on the Bleeping Computer forum.
In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter’s availability, advising users against paying the ransom.