Muhstik ransomware is the cryptovirus that targets NAS devices and demands at least 0.045 BTC for the recovery but can be decrypted

This Muhstik ransomware virus can be decrypted thanks to this discovery and hack-back, also QNAPCrypt malware affected files can be decrypted since August. Windows devices can be decrypted with the Emisoft decryptor tool listed below the article with all the needed instructions since there is a need to specify ransom note on the computer to automatically get the decryption key. Many victims already reported that they had recovered .muhstik marked files using this tool. However, you should also remember to clean the machine entirely so that infection repetition can be avoided.
| Name | Muhstik ransomware |
|---|---|
| Type | Cryptovirus |
| Devices affected | NAS storage devices made by QNAP |
| Family | QNAPCrypt malware or eCh0raix ransomware is the primary virus that this threat emerges from |
| File marker | .muhstik gets added on every file when AES algorithm helps to locke them during the initial encryption process |
| Ransom note | README_FOR_DECRYPT.txt is the file that shows initial ransom message, but other websites also display the instructions and ransom-demanding text |
| Ransom amount | Ranges, but mainly go around 0.045 Bitcoin. Can be increased to 0.09BTC when the victim waits to pay the criminals |
| Distribution | The brute force used to spread this malware and affect NAS devices. Weak passwords for the built-in phpMyAdmin service get used to gain access on the targeted system and other system vulnerabilities |
| Elimination | Anti-malware programs and other security tools are needed to eliminate the malware traces and remove Muhstik ransomware completely. Get a tool like FortectIntego for the cleaning |
| Decryptable? | YES. This virus is decryptable with either this tool or the automatic QNAP NAS decrypter. (Both links redirect you to downloads) |
Muhstik ransomware starts encryption on QNAP NAS devices when the payload file gets on the system. The malware first checks the system language because when the user is from Russian, Belarus, or Ukraine encryption doesn't start. This is common when malware creators don't want to affect people in particular countries due to criminal penalties.
Files affected by the Muhstik ransomware differ in formats, and it appears that are more than 400 extensions included in the format list. Microsoft documents, OpenOffice files, PDFS, photos, music files, audio files, or even configuration files and databases, backups get encrypted and locked. However, proc, boot, sys, ru, dev, and home folders get skipped during the encryption.
When this is done, Muhstik ransomware delivers a ransom note in README_FOR_DECRYPT.txt file that gets added on the desktop and displays the following message:
All your files have been encrypted.
You can find the steps to decrypt in any the following links:
hxxp://13.234.89.185/.unlock/payment/[victim's_ID] Could go offline at any time
hxxp://51.38.231.30/.unlock/payment/[victim's_ID] Could go offline at any timeOr use TOR link, guaranteed Online 100% of the time:
hxxp://5mngytmdpeyyp6xk.onion/payment/[victim's_ID] Use TOR browser to access .onion websites.
hxxps://duckduckgo.com/html?q=tor+browser+how+toDo NOT remove this file and DO NOT remove the last line in this file!
Your ID:
Also, Muhstik ransomware shows these instructions once the victim goes to payment site via the provided links:
Your files have been encrypted, to recover them you need the decryption software and your private key. You can buy both of them for 0.045 Bitcoin.
Time left for payment:
1 day 17 hours 4 minutes 14 seconds
After this time decryption software cost will be increased to 0.09 BTC.
Find where to get Bitcoin here:
blockchain.info
localbitcoins.com
google.com
Send 0.045 BTC to the following address:
133Y64UxdzREJqYjxXxR3qebbgafpq5FG1
ONLY SUBMIT YOUR EMAIL AFTER YOU SENT THE BTC.
If you submit your email before sending the payment your amount will be instantly doubled!
After payment enter your real email address to get the decryptor software.
Enter a valid email address
Your decrypted demo file is ready to download, open the following link.
http://13.233.53.172/.cache/download/9cc32d5a-8fd4-4ee7-b34b-ed6042b51375-split-IMG_20160608_111553.jpg
You can see that the ransom amount may differ depending on the particular victim and even changes throughout time. Muhstik ransomware developers can change the amount from the beginning when the targeted device contains valuable data, or the victim is somewhat important.
However, there is no need to pay the ransom when Muhstik ransomware removal has better options for you. This threat can harvest your data, steal valuable credentials from the machine directly or save some important files, malware hijacks personal data, and can use that in later scams and campaigns.

Since you can remove Muhstik ransomware and manage to get your files decrypted, you should go straight to saving your files and react to the infection as soon as possible. This malware can spread other infections and use different techniques for that, so get an anti-malware tool or FortectIntego and run a full scan on the machine to eliminate the traces.
Muhstik ransomware drops its malicious script and distributes other malware to ensure the persistence, so extortionists behind the threat can make a profit. Also, the threat alters particular settings on the machine, so processes running on the system can be interfered with and disabled.
This is how Muhstik ransomware manages to disable your antivirus tools, security software. For that reason, we recommend going the Safe Mode route before you rely on the AV tool for initial cleaning. Rebooting the machine in this mode helps to smoothly scan the machine and remove all the traces of malware.
Muhstik ransomware virus can also erase your files or Shadow Volume Copies to keep the data recovery difficult. For that, you have other options. Of course, decryption tools that are free can restore your files, but we have listed other alternatives below for you to try. Experts[3] provide many options for everyone, so you can get back to the safe device.
Malware relies on security flaws and vulnerabilities like weak passwords
It is known that malware targets network storage devices and uses brute force to get access and start the encryption process. Security flaws, weak passwords for the admin service gets easily used by attackers to get on the machine that is targeted for encryption. Once the payload file is loaded on the system, encryption starts immediately, and data become locked, marked with according appendix.
Virus code is delivered on the machine by using other methods too. Malware attacks can bypass security mechanisms, routers, firewalls, and detection tools. Tactics like phishing campaigns, infected files from spam emails, or file-sharing networks can also lead to the same infection.
You need to take these risks into consideration and stay away from illegal file sharing, cracked software, games, and programs. Keep the machine virus-free by scanning it more often using anti-malware tools and delete emails that appear suspicious without even opening.
Muhstik ransomware virus elimination tips and file recovery tips
Crypto malware that spreads on different systems, across platforms, and so on can differ one from the other, but there are many features that Muhstik ransomware virus and typical ransomware have. The encryption is focused on common files, and system folders are left untouched, for example.
However, system files get affected in different ways when malware disables programs, functions, and adds files or applications that run in the background without your permission. This is why many experts and researchers more recommend the automatic Muhstik ransomware removal process.
This is why we recommend choosing the anti-malware tool wisely and proceed to remove Muhstik ransomware from the machine. This is how you can fix the damage and eliminate this threat without corrupting crucial parts of the system. FortectIntego, SpyHunterCombo Cleaner,or MalwarebytesMalwarebytes are the applications needed for this job.
Was this guide helpful?
Be the first to comment