White hat's revenge: Muhstik actors hacked back, decryption keys released

White hat hacker battleck hacked into Muhstik ransomware-used servers and released almost 3,000 decryption keys to public

Muhstik ransomware victim hacked back into crooks' database and recovered almost 3,000 keys for file decryption

Tobias Frömel, a programmer from Germany, had some good news for Muhstik ransomware^[1] victims: he managed to breach malware's Command & Control servers and recover almost 3,000 decryption keys, along with a working decryption tool for the ransomware. However, this was not free-of-charge for Frömel, as he had to pay ransomware authors 0.09 Bitcoins after his files were encrypted on the QNAP NAS device.

Tobias, otherwise known as battleck online, is a software developer, and he was extremely mad about the situation turning bad for him. Seeing no other choice but paying cybercriminals to regain access to his files, he was devastated. In return, he analyzed the Muhstik malware sample in-depth and managed to get insight into how cybercriminals operate the ransomware.

Revenge or just an act of kindness?

Muhstik ransomware was introduced in late September – it was brute-forcing its way into NAS (network-attached storage) devices developed by QNAP, a Taiwan-based hardware maker. Malicious actors managed to find a weakness in those devices that were protected by weak SQL passwords for the phpMyAdmin service. As a precautionary measure, the developer published in-depth guidelines for hardware users in order to prevent them from being infected with Muhstik ransomware:^[2]

The Muhstik ransomware is reportedly being used to target QNAP NAS devices. Devices using weak SQL server passwords and running phpMyAdmin may be more vulnerable to attacks.

We strongly recommend that users act immediately to protect their data from possible malware attacks.

After encrypting all files with AES and SHA256 algorithms and appending .muhstik extension to all the affected data, the keys were sent to a remote Command & Control servers controlled by cybercriminals.

Once inside the server, Frömel managed to get access to a PHP script that generates new passwords for each of the victims. Based on web shells, he managed to get hold of the key generator, which helped him to reach the decryption keys.

Based on the analysis, Frömel managed to exfoliate data from crooks' database servers, which contained 2,858 decryption keys. However, the white hack hacker did not stop there – he contacted each of the victims individually on Twitter, reporting them their files are now recoverable for free. He dropped all the relevant keys into Pastebin, where victims could easily download them.

While the act is controversial (hacking is illegal), many people managed to get their files back because of it, so his prosecution is highly unlikely. According to ZDNet, Frömel also contacted authorities in the hopes of catching cybercriminals behind Muhstik ransomware.^[3]

Not only high-profile security research teams are capable of helping ransomware victims

Ransomware is among one of the most devastating cyberthreats in the wild currently, and not only home users are suffering from it. The most recent incidents include the Baltimore RobbinHood malware incident,^[4] Ontario hospitals Ryuk attacks,^[5], etc. These incidents often const organizations and municipalities millions of dollars, and some even agree to pay ransom to avoid disastrous recovery costs.

Luckily, Frömel proved that not only high-profile security firms are capable of helping victims of ransomware, as he managed to help almost 3,000 victims, although he had to pay the price himself. Thanks to German white hacker's efforts, security researchers at Emsisoft managed to create a working decryption tool and released it for victims the same day Frömel breached the hackers' database – October 7th.^[6]