Victim who Paid Bitcoin Ransom Turns the Table Back

latest network security threats 5/5 (1)

Tobias Fromel a victim of the Muhstik Ransomware has hacked backed his attackers and released close to 3,000 decryption keys for victims along with a free decryptor to get their files back. 

Muhstik Ransomware

Muhstik ransomware has been targeting QNAP’s Network Attached Storage (NAS) devices since the end of September.

The ransomware gains access to devices by brute-forcing technique and encrypt the files. The victims are asked to pay a ransom amount of 0.09 bitcoins, or approximately $700 USD in order to get their files back.

How did Tobias Fromel attack back?

Tobias Fromel, a German software developer was hacked by Muhstik gang and had to pay a ransom of 670Euros (US $735) to regain access to his files. 

Rather than getting disturbed by the whole unpleasant experience, Fromel decided to hack the very people responsible for the attack.

As soon as he decrypted his own data, Fromel analysed the ransomware that had infected his drive, studied how it operated and hacked back and retrieved the criminals ‘whole database with keys.”

Fromel told the Bleeping computers that the server contained web shells that allowed him to get access to the PHP script that generates passwords for a new victim. Fromel also added that he used the same web shell to create a new PHP file based on the key generator and used it to output the HWID which are unique per victim, and decryption keys for the 2,858 Muhstik victims stored in the database. 

Free decryption method for Muhstik victims

After releasing the decryption keys, Fromel published a decrypter that will help all the Muhstik ransomware victims to regain their files. The decryption is available on MEGA (VirusTotal scan) and usage instructions are on the Bleeping Computer forum

Fromel has been busy notifying Muhstik victims on Twitter about the decrypter’s availability, advising users against paying the ransom.

According to Next Web reports the anti-virus firm Emsisoft tested  Fromel’s decryption tool and did not work properly on ARM-based QNAP devices, so anyone seeking to recover such a device from a Muhstik ransomware attack can use Emsisoft’s tool.

QNAP has issued a security advisory regarding Muhstik ransomware containing steps to prevent infection.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin, and Twitter.



Please rate this content